diff --git a/nfctokens/migrations/0010_alter_nfctoken_uid.py b/nfctokens/migrations/0010_alter_nfctoken_uid.py
new file mode 100644
index 0000000..3e21267
--- /dev/null
+++ b/nfctokens/migrations/0010_alter_nfctoken_uid.py
@@ -0,0 +1,48 @@
+# Generated by Django 4.2.11 on 2024-04-16 22:35
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("nfctokens", "0009_alter_nfctoken_options"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="nfctoken",
+            name="uid",
+            field=models.CharField(
+                max_length=32,
+                unique=True,
+                validators=[
+                    django.core.validators.RegexValidator(
+                        message="Enter a valid UID of 8, 14 or 20 hexadecimal digits",
+                        regex="^\\s*([0-9a-fA-F]{8}|[0-9a-fA-F]{14}|[0-9a-fA-F]{20})\\s*$",
+                    ),
+                    django.core.validators.RegexValidator(
+                        inverse_match=True,
+                        message="This is a randomly-generated UID which cannot be used for authentication",
+                        regex="^\\s*08[0-9a-fA-F]{6}\\s*$",
+                    ),
+                    django.core.validators.RegexValidator(
+                        inverse_match=True,
+                        message="This is an invalid UID (contains a cascade tag)",
+                        regex="^\\s*88[0-9a-fA-F]{6}\\s*$",
+                    ),
+                    django.core.validators.RegexValidator(
+                        inverse_match=True,
+                        message="This is an invalid UID (contains a cascade tag)",
+                        regex="^\\s*[0-9a-fA-F]{6}88[0-9a-fA-F]{6}\\s*$",
+                    ),
+                    django.core.validators.RegexValidator(
+                        inverse_match=True,
+                        message="This is an invalid UID (contains a cascade tag)",
+                        regex="^\\s*[0-9a-fA-F]{6}88[0-9a-fA-F]{12}\\s*$",
+                    ),
+                ],
+                verbose_name="UID",
+            ),
+        ),
+    ]
diff --git a/nfctokens/models.py b/nfctokens/models.py
index cd436c2..302ad7d 100644
--- a/nfctokens/models.py
+++ b/nfctokens/models.py
@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: 2022 Tim Hawes <me@timhawes.com>
+# SPDX-FileCopyrightText: 2022-2024 Tim Hawes <me@timhawes.com>
 #
 # SPDX-License-Identifier: MIT
 
@@ -43,6 +43,24 @@ class NFCToken(models.Model):
                 message="This is a randomly-generated UID which cannot be used for authentication",
                 inverse_match=True,
             ),
+            # Invalid due to cascading rules (byte 0 of a 4-byte UID cannot be 0x88)
+            RegexValidator(
+                regex=r"^\s*88[0-9a-fA-F]{6}\s*$",
+                message="This is an invalid UID (contains a cascade tag)",
+                inverse_match=True,
+            ),
+            # Invalid due to cascading rules (byte 3 of a 7-byte UID cannot be 0x88)
+            RegexValidator(
+                regex=r"^\s*[0-9a-fA-F]{6}88[0-9a-fA-F]{6}\s*$",
+                message="This is an invalid UID (contains a cascade tag)",
+                inverse_match=True,
+            ),
+            # Invalid due to cascading rules (byte 3 of a 10-byte UID cannot be 0x88)
+            RegexValidator(
+                regex=r"^\s*[0-9a-fA-F]{6}88[0-9a-fA-F]{12}\s*$",
+                message="This is an invalid UID (contains a cascade tag)",
+                inverse_match=True,
+            ),
         ],
     )
     description = models.CharField(max_length=255, blank=True)