diff --git a/app/models/runtime/process_model.rb b/app/models/runtime/process_model.rb
index 9acf22152cd..efa35a1bf35 100644
--- a/app/models/runtime/process_model.rb
+++ b/app/models/runtime/process_model.rb
@@ -579,8 +579,16 @@ def permitted_users
     def docker_run_action_user
       return DEFAULT_USER unless docker?
 
-      docker_exec_metadata = Oj.load(execution_metadata)
-      container_user = docker_exec_metadata['user']
+      container_user = ''
+      if execution_metadata.present?
+        begin
+          docker_exec_metadata = Oj.load(execution_metadata)
+          container_user = docker_exec_metadata['user']
+        rescue EncodingError
+          container_user = ''
+        end
+      end
+
       container_user.presence || 'root'
     end
 
diff --git a/spec/unit/models/runtime/process_model_spec.rb b/spec/unit/models/runtime/process_model_spec.rb
index 66ced4eff0e..95c8b1270d1 100644
--- a/spec/unit/models/runtime/process_model_spec.rb
+++ b/spec/unit/models/runtime/process_model_spec.rb
@@ -708,6 +708,30 @@ def act_as_cf_admin
             expect(process.run_action_user).to eq('root')
           end
         end
+
+        context 'when the droplet execution metadata is an empty string' do
+          let(:droplet_execution_metadata) { '' }
+
+          it 'defaults the user to root' do
+            expect(process.run_action_user).to eq('root')
+          end
+        end
+
+        context 'when the droplet execution metadata is nil' do
+          let(:droplet_execution_metadata) { nil }
+
+          it 'defaults the user to root' do
+            expect(process.run_action_user).to eq('root')
+          end
+        end
+
+        context 'when the droplet execution metadata has invalid json' do
+          let(:droplet_execution_metadata) { '{' }
+
+          it 'defaults the user to root' do
+            expect(process.run_action_user).to eq('root')
+          end
+        end
       end
 
       context 'when the process DOES NOT belong to a Docker lifecycle app' do