diff --git a/lib/modules/manager/bundler/host-rules.spec.ts b/lib/modules/manager/bundler/host-rules.spec.ts
index f54ae62f969b83b3ec7b06a7604ac919fce47e03..4f88798d29a4b328c500ead43197251ee61cb114 100644
--- a/lib/modules/manager/bundler/host-rules.spec.ts
+++ b/lib/modules/manager/bundler/host-rules.spec.ts
@@ -28,6 +28,15 @@ describe('modules/manager/bundler/host-rules', () => {
         }),
       ).toBe('token');
     });
+
+    it('escapes special characters in the username but not the password', () => {
+      expect(
+        getAuthenticationHeaderValue({
+          username: 'test@example.com',
+          password: 'p@ssword',
+        }),
+      ).toBe('test%40example.com:p@ssword');
+    });
   });
 
   describe('findAllAuthenticatable()', () => {
diff --git a/lib/modules/manager/bundler/host-rules.ts b/lib/modules/manager/bundler/host-rules.ts
index a077709d6b7fd082fc697f1fc2d17c7269c590d2..8c2f2ea22d981f978ca279beed9b8e9ffcc2cec6 100644
--- a/lib/modules/manager/bundler/host-rules.ts
+++ b/lib/modules/manager/bundler/host-rules.ts
@@ -18,8 +18,9 @@ export function findAllAuthenticatable({
 
 export function getAuthenticationHeaderValue(hostRule: HostRule): string {
   if (hostRule.username) {
+    const username = encodeURIComponent(hostRule.username);
     // TODO: types (#22198)
-    return `${hostRule.username}:${hostRule.password!}`;
+    return `${username}:${hostRule.password!}`;
   }
 
   // TODO: types (#22198)