diff --git a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
index 1883756954b58..d60e002f97bd2 100644
--- a/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/CORSMiddleware.php
@@ -80,7 +80,7 @@ public function __construct(IRequest $request,
 	 * @throws SecurityException
 	 * @since 6.0.0
 	 */
-	public function beforeController($controller, $methodName){
+	public function beforeController($controller, $methodName) {
 		// ensure that @CORS annotated API routes are not used in conjunction
 		// with session authentication since this enables CSRF attack vectors
 		if ($this->reflector->hasAnnotation('CORS') &&
@@ -88,9 +88,13 @@ public function beforeController($controller, $methodName){
 			$user = $this->request->server['PHP_AUTH_USER'];
 			$pass = $this->request->server['PHP_AUTH_PW'];
 
+			// Allow to use the current session if a CSRF token is provided
+			if ($this->request->passesCSRFCheck()) {
+				return;
+			}
 			$this->session->logout();
 			try {
-				if (!$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+				if (!empty($user) && !empty($pass) && !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
 					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
 				}
 			} catch (PasswordLoginForbiddenException $ex) {
diff --git a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
index 16f1fb35a82a4..923649772fd5f 100644
--- a/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
+++ b/lib/private/AppFramework/Middleware/Security/SecurityMiddleware.php
@@ -46,6 +46,7 @@
 use OC\AppFramework\Utility\ControllerMethodReflector;
 use OCP\App\AppPathNotFoundException;
 use OCP\App\IAppManager;
+use OCP\AppFramework\ApiController;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\RedirectResponse;
@@ -170,13 +171,16 @@ public function beforeController($controller, $methodName) {
 			 *
 			 * Additionally we allow Bearer authenticated requests to pass on OCS routes.
 			 * This allows oauth apps (e.g. moodle) to use the OCS endpoints
+			 * CORS routes are also allowed to pass since the authentication and possible required
+			 * CSRF token check is handled in the CORSMiddleware
 			 */
-			if(!$this->request->passesCSRFCheck() && !(
-					$controller instanceof OCSController && (
-						$this->request->getHeader('OCS-APIREQUEST') === 'true' ||
-						strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0
-					)
-				)) {
+			if (!$this->request->passesCSRFCheck()
+				&& !($controller instanceof ApiController && $this->reflector->hasAnnotation('CORS'))
+				&& !($controller instanceof OCSController && (
+					$this->request->getHeader('OCS-APIREQUEST') === 'true' ||
+					strpos($this->request->getHeader('Authorization'), 'Bearer ') === 0)
+				)
+			) {
 				throw new CrossSiteRequestForgeryException();
 			}
 		}