diff --git a/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
index 052d9d12ff..65847f586d 100644
--- a/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfRequestHeaderAccessCheck.php
@@ -100,8 +100,10 @@ public function access(Request $request, AccountInterface $account) {
     // This check only applies if
     // 1. the user was successfully authenticated and
     // 2. the request comes with a session cookie.
+    // 3. the authentication method is other then Bearer.
     if ($account->isAuthenticated()
       && $this->sessionConfiguration->hasSession($request)
+      && strpos($request->headers->get('Authorization'), 'Bearer ') === FALSE
     ) {
       if (!$request->headers->has('X-CSRF-Token')) {
         return AccessResult::forbidden()->setReason('X-CSRF-Token request header is missing')->setCacheMaxAge(0);