diff --git a/flask_oauthlib/provider/oauth2.py b/flask_oauthlib/provider/oauth2.py
index 27f8f821..551518ce 100644
--- a/flask_oauthlib/provider/oauth2.py
+++ b/flask_oauthlib/provider/oauth2.py
@@ -833,6 +833,9 @@ def validate_code(self, client_id, code, client, request, *args, **kwargs):
            datetime.datetime.utcnow() > grant.expires:
             log.debug('Grant is expired.')
             return False
+        if grant.code != code:
+            log.debug('Grant is invalid.')
+            return False
 
         request.state = kwargs.get('state')
         request.user = grant.user
@@ -859,7 +862,7 @@ def validate_grant_type(self, client_id, grant_type, client, request,
             'authorization_code', 'password',
             'client_credentials', 'refresh_token',
         )
-        
+
         # Grant type is allowed if it is part of the 'allowed_grant_types'
         # of the selected client or if it is one of the default grant types
         if hasattr(client, 'allowed_grant_types'):