diff --git a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
index 97c452f96942d102de841560251880ddb7ca2a3f..6aec0a3a9818dae5a6f6bfbcf6c4a00fdd009aee 100644
--- a/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
+++ b/typo3/sysext/backend/Classes/Authentication/PasswordReset.php
@@ -39,6 +39,7 @@ use TYPO3\CMS\Core\Database\Query\Restriction\StartTimeRestriction;
 use TYPO3\CMS\Core\Http\NormalizedParams;
 use TYPO3\CMS\Core\Mail\FluidEmail;
 use TYPO3\CMS\Core\Mail\Mailer;
+use TYPO3\CMS\Core\Session\SessionManager;
 use TYPO3\CMS\Core\SysLog\Action\Login as SystemLogLoginAction;
 use TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;
 use TYPO3\CMS\Core\SysLog\Type as SystemLogType;
@@ -348,6 +349,8 @@ class PasswordReset implements LoggerAwareInterface
             ->getConnectionForTable('be_users')
             ->update('be_users', ['password_reset_token' => '', 'password' => $this->getHasher()->getHashedPassword($newPassword)], ['uid' => $userId]);
 
+        $this->invalidateUserSessions($userId);
+
         $this->logger->info('Password reset successful for user {user_id)', ['user_id' => $userId]);
         $this->log(
             'Password reset successful for user %s',
@@ -498,4 +501,14 @@ class PasswordReset implements LoggerAwareInterface
             ->executeQuery()
             ->fetchOne();
     }
+
+    /**
+     * Invalidate all backend user sessions by given user id
+     */
+    protected function invalidateUserSessions(int $userId): void
+    {
+        $sessionManager = GeneralUtility::makeInstance(SessionManager::class);
+        $sessionBackend = $sessionManager->getSessionBackend('BE');
+        $sessionManager->invalidateAllSessionsByUserId($sessionBackend, $userId);
+    }
 }
diff --git a/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php b/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php
index f76c5f8b54c2e7b3a48d1d4a627b4233c26bfd3d..c89c39b71196d9401cfacad678beb138638c67a7 100644
--- a/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php
+++ b/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php
@@ -24,6 +24,7 @@ use TYPO3\CMS\Core\Context\Exception\AspectNotFoundException;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
 use TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
 use TYPO3\CMS\Core\Messaging\AbstractMessage;
+use TYPO3\CMS\Core\Session\SessionManager;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Extbase\Error\Error;
 use TYPO3\CMS\Extbase\Error\Result;
@@ -227,7 +228,9 @@ class PasswordRecoveryController extends AbstractLoginFormController
             return $hashedPassword;
         }
 
+        $user = $this->userRepository->findOneByForgotPasswordHash(GeneralUtility::hmac($hash));
         $this->userRepository->updatePasswordAndInvalidateHash(GeneralUtility::hmac($hash), $hashedPassword);
+        $this->invalidateUserSessions($user['uid']);
 
         $this->addFlashMessage($this->getTranslation('change_password_done_message'));
 
@@ -331,4 +334,14 @@ class PasswordRecoveryController extends AbstractLoginFormController
             true
         );
     }
+
+    /**
+     * Invalidate all frontend user sessions by given user id
+     */
+    protected function invalidateUserSessions(int $userId): void
+    {
+        $sessionManager = GeneralUtility::makeInstance(SessionManager::class);
+        $sessionBackend = $sessionManager->getSessionBackend('FE');
+        $sessionManager->invalidateAllSessionsByUserId($sessionBackend, $userId);
+    }
 }