diff --git a/NEWS b/NEWS
index 334842afc6..3164e3b33f 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@ Bug fixes
  - [web] messages list not accessible when changing mailbox in expanded mail view (#4269)
  - [web] only one postal address of same type is saved (#4091)
  - [web] improve handling of email notifications of a calendar properties
+ - [web] fixed XSRF cookie path when changing password (#4139)
  - [eas] hebrew folders encoding problem using EAS (#4240)
 
 3.2.10 (2017-07-05)
diff --git a/UI/MainUI/SOGoRootPage.m b/UI/MainUI/SOGoRootPage.m
index a318398647..668383a092 100644
--- a/UI/MainUI/SOGoRootPage.m
+++ b/UI/MainUI/SOGoRootPage.m
@@ -623,6 +623,7 @@ - (WOResponse *) changePasswordAction
       creds = [auth parseCredentials: [authCookie value]];
       xsrfCookie = [WOCookie cookieWithName: @"XSRF-TOKEN"
                                       value: [[SOGoSession valueForSessionKey: [creds lastObject]] asSHA1String]];
+      [xsrfCookie setPath: [NSString stringWithFormat: @"/%@/", [request applicationName]]];
       [response addCookie: xsrfCookie];
     }
   else