diff --git a/core/modules/media/src/Controller/OEmbedIframeController.php b/core/modules/media/src/Controller/OEmbedIframeController.php
index 9da8f90502305f4e364d343db9a69d071dcdf554..3c5079f6204add211f1c1ea55d9160ed9242b09e 100644
--- a/core/modules/media/src/Controller/OEmbedIframeController.php
+++ b/core/modules/media/src/Controller/OEmbedIframeController.php
@@ -18,7 +18,7 @@
 use Psr\Log\LoggerInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 
 /**
  * Controller which renders an oEmbed resource in a bare page (without blocks).
@@ -115,7 +115,7 @@ public static function create(ContainerInterface $container) {
    * @return \Symfony\Component\HttpFoundation\Response
    *   The response object.
    *
-   * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+   * @throws \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
    *   Will be thrown if either
    *   - the 'hash' parameter does not match the expected hash of the 'url'
    *     parameter;
@@ -129,7 +129,7 @@ public function render(Request $request) {
       $allowed_host = parse_url($allowed_domain, PHP_URL_HOST);
       $host = parse_url($request->getSchemeAndHttpHost(), PHP_URL_HOST);
       if ($allowed_host !== $host) {
-        throw new AccessDeniedHttpException('This resource is not available');
+        throw new BadRequestHttpException('This resource is not available');
       }
     }
 
@@ -141,7 +141,7 @@ public function render(Request $request) {
     // parameter passed in the query string.
     $hash = $this->iFrameUrlHelper->getHash($url, $max_width, $max_height);
     if (!hash_equals($hash, $request->query->get('hash', ''))) {
-      throw new AccessDeniedHttpException('This resource is not available');
+      throw new BadRequestHttpException('This resource is not available');
     }
 
     // Return a response instead of a render array so that the frame content
diff --git a/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php b/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
index cab7e3073432822b4f483005c007e606b6521a54..62b7500be83356bde64cbbdf49d4a5b221bb3d5b 100644
--- a/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
+++ b/core/modules/media/tests/src/FunctionalJavascript/MediaSourceOEmbedVideoTest.php
@@ -195,7 +195,7 @@ public function testMediaOEmbedVideoSource() {
     $no_hash_query = array_diff_key($query, ['hash' => '']);
     $this->drupalGet('media/oembed', ['query' => $no_hash_query]);
     $assert_session->pageTextNotContains('By the power of Grayskull, Vimeo works!');
-    $assert_session->pageTextContains('Access denied');
+    $assert_session->pageTextContains('Client error');
 
     // A correct query should be allowed because the anonymous role has the
     // 'view media' permission.
diff --git a/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php b/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
index 9eae8d20cc9f304644bfe05c168afa4f2689da27..479c2313d402495b1b36605943c48cbb229c5d27 100644
--- a/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
+++ b/core/modules/media/tests/src/Kernel/OEmbedIframeControllerTest.php
@@ -56,7 +56,7 @@ public function testBadHashParameter($hash) {
 
     $this->assertIsCallable($controller);
 
-    $this->expectException('\Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException');
+    $this->expectException('\Symfony\Component\HttpKernel\Exception\BadRequestHttpException');
     $this->expectExceptionMessage('This resource is not available');
     $request = new Request([
       'url' => 'https://example.com/path/to/resource',