diff --git a/scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenEnricher.java b/scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenEnricher.java
index b12a43ffe6..ed7093c09c 100644
--- a/scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenEnricher.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/XsrfAccessTokenEnricher.java
@@ -37,6 +37,7 @@ import javax.inject.Provider;
 import javax.servlet.http.HttpServletRequest;
 
 import com.google.inject.OutOfScopeException;
+import com.google.inject.ProvisionException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import sonia.scm.config.ScmConfiguration;
@@ -98,8 +99,12 @@ public class XsrfAccessTokenEnricher implements AccessTokenEnricher {
       } else {
         LOG.trace("skip xsrf enrichment, because jwt session is started from a non wui client");
       }
-    } catch (OutOfScopeException ex) {
-      LOG.trace("skip xsrf enrichment, because no request scope is available");
+    } catch (ProvisionException ex) {
+      if (ex.getCause() instanceof OutOfScopeException) {
+        LOG.trace("skip xsrf enrichment, because no request scope is available");
+      } else {
+        throw ex;
+      }
     }
     return false;
   }
diff --git a/scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenEnricherTest.java b/scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenEnricherTest.java
index 0d8960b0ee..5fbaaeb64c 100644
--- a/scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenEnricherTest.java
+++ b/scm-webapp/src/test/java/sonia/scm/security/XsrfAccessTokenEnricherTest.java
@@ -31,6 +31,7 @@
 package sonia.scm.security;
 
 import com.google.inject.OutOfScopeException;
+import com.google.inject.ProvisionException;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
@@ -43,6 +44,7 @@ import sonia.scm.util.HttpUtil;
 import javax.inject.Provider;
 import javax.servlet.http.HttpServletRequest;
 
+import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.mockito.Mockito.*;
 
 /**
@@ -73,7 +75,7 @@ class XsrfAccessTokenEnricherTest {
   void testWithoutRequestScope() {
     // prepare
     Provider<HttpServletRequest> requestProvider = mock(Provider.class);
-    when(requestProvider.get()).thenThrow(new OutOfScopeException("request scope is not available"));
+    when(requestProvider.get()).thenThrow(new ProvisionException("failed to provision", new OutOfScopeException("no request scope is available")));
     configuration.setEnabledXsrfProtection(true);
     XsrfAccessTokenEnricher enricher = createEnricher(requestProvider);
 
@@ -84,6 +86,19 @@ class XsrfAccessTokenEnricherTest {
     verify(builder, never()).custom(Xsrf.TOKEN_KEY, "42");
   }
 
+  @Test
+  @SuppressWarnings("unchecked")
+  void testWithProvisionException() {
+    // prepare
+    Provider<HttpServletRequest> requestProvider = mock(Provider.class);
+    when(requestProvider.get()).thenThrow(new ProvisionException("failed to provision"));
+    configuration.setEnabledXsrfProtection(true);
+    XsrfAccessTokenEnricher enricher = createEnricher(requestProvider);
+
+    // execute
+    assertThrows(ProvisionException.class, () -> enricher.enrich(builder));
+  }
+
   private XsrfAccessTokenEnricher createEnricher(Provider<HttpServletRequest> requestProvider) {
     return new XsrfAccessTokenEnricher(configuration, requestProvider) {
       @Override