diff --git a/lib/galaxy/security/validate_user_input.py b/lib/galaxy/security/validate_user_input.py
index 86d890cdf3cb..a5400bd0ee02 100644
--- a/lib/galaxy/security/validate_user_input.py
+++ b/lib/galaxy/security/validate_user_input.py
@@ -10,7 +10,10 @@
 
 import dns.resolver
 from dns.exception import DNSException
-from sqlalchemy import func
+from sqlalchemy import (
+    func,
+    select,
+)
 from typing_extensions import LiteralString
 
 from galaxy.objectstore import ObjectStore
@@ -78,13 +81,8 @@ def validate_email(trans, email, user=None, check_dup=True, allow_empty=False, v
         domain = extract_domain(email)
         message = validate_email_domain_name(domain)
 
-    if (
-        not message
-        and check_dup
-        and trans.sa_session.query(trans.app.model.User)
-        .filter(func.lower(trans.app.model.User.table.c.email) == email.lower())
-        .first()
-    ):
+    stmt = select(trans.app.model.User).filter(func.lower(trans.app.model.User.email) == email.lower()).limit(1)
+    if not message and check_dup and trans.sa_session.scalars(stmt).first():
         message = f"User with email '{email}' already exists."
 
     if not message:
@@ -134,7 +132,9 @@ def validate_publicname(trans, publicname, user=None):
     message = validate_publicname_str(publicname)
     if message:
         return message
-    if trans.sa_session.query(trans.app.model.User).filter_by(username=publicname).first():
+
+    stmt = select(trans.app.model.User).filter_by(username=publicname).limit(1)
+    if trans.sa_session.scalars(stmt).first():
         return "Public name is taken; please choose another."
     return ""
 
diff --git a/lib/galaxy/security/vault.py b/lib/galaxy/security/vault.py
index 5a1d4a557b62..ee57aa2d1100 100644
--- a/lib/galaxy/security/vault.py
+++ b/lib/galaxy/security/vault.py
@@ -12,6 +12,7 @@
     Fernet,
     MultiFernet,
 )
+from sqlalchemy import select
 
 try:
     from custos.clients.resource_secret_management_client import ResourceSecretManagementClient
@@ -130,7 +131,7 @@ def _get_multi_fernet(self) -> MultiFernet:
         return MultiFernet(self.fernet_keys)
 
     def _update_or_create(self, key: str, value: Optional[str]) -> model.Vault:
-        vault_entry = self.sa_session.query(model.Vault).filter_by(key=key).first()
+        vault_entry = self._get_vault_value(key)
         if vault_entry:
             if value:
                 vault_entry.value = value
@@ -149,7 +150,7 @@ def _update_or_create(self, key: str, value: Optional[str]) -> model.Vault:
         return vault_entry
 
     def read_secret(self, key: str) -> Optional[str]:
-        key_obj = self.sa_session.query(model.Vault).filter_by(key=key).first()
+        key_obj = self._get_vault_value(key)
         if key_obj and key_obj.value:
             f = self._get_multi_fernet()
             return f.decrypt(key_obj.value.encode("utf-8")).decode("utf-8")
@@ -163,6 +164,10 @@ def write_secret(self, key: str, value: str) -> None:
     def list_secrets(self, key: str) -> List[str]:
         raise NotImplementedError()
 
+    def _get_vault_value(self, key):
+        stmt = select(model.Vault).filter_by(key=key).limit(1)
+        return self.sa_session.scalars(stmt).first()
+
 
 class CustosVault(Vault):
     def __init__(self, config):