diff --git a/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java b/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java
index 26fc55bf5d5..9d73cb7023f 100644
--- a/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java
+++ b/store/src/java-test/com/zimbra/cs/servlet/util/CsrfUtilTest.java
@@ -171,6 +171,24 @@ public final void testIsValidCsrfTokenForAccountWithMultipleTokens() {
         }
     }
 
+    @Test
+    public final void testIsValidCsrfTokenForAccountWithNullAuthToken() {
+        try {
+            Account acct = Provisioning.getInstance().getAccountByName(
+                "test@zimbra.com");
+            AuthToken authToken = new ZimbraAuthToken(acct);
+
+            String csrfToken1 = CsrfUtil.generateCsrfToken(acct.getId(),
+                AUTH_TOKEN_EXPR, CSRFTOKEN_SALT, authToken);
+            boolean validToken = CsrfUtil.isValidCsrfToken(csrfToken1, null);
+            assertEquals(false, validToken);
+
+
+        } catch (Exception  e) {
+            fail("Should not throw exception.");
+        }
+    }
+
 
     @Test
     public final void testIsCsrfRequestWhenCsrfCheckIsTurnedOn() {
diff --git a/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java b/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java
index 3c59caff554..5ce47a50756 100644
--- a/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java
+++ b/store/src/java/com/zimbra/cs/servlet/util/CsrfUtil.java
@@ -255,7 +255,7 @@ public static Account getAccount(AuthToken authToken, boolean loadFromLdap) thro
     }
 
     public static boolean isValidCsrfToken(String csrfToken, AuthToken authToken) {
-        if (StringUtil.isNullOrEmpty(csrfToken)) {
+        if (StringUtil.isNullOrEmpty(csrfToken) || null == authToken) {
             return false;
         }