diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 811c5ba4bc326..10c63ec6f9a83 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -731,10 +731,21 @@ private function checkTokenCredentials(IToken $dbToken, $token) {
 			return false;
 		}
 
-		// If the token password is no longer valid mark it as such
-		if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false) {
+		$tokenLoginName = $dbToken->getLoginName();
+		if ($this->manager->checkPassword($tokenLoginName, $pwd) === false) {
+			// If the decrypted password is empty or not a valid local password,
+			// but the user exists and is enabled, we DO NOT permanently invalidate the token.
+			if (empty($pwd) || $this->manager->get($tokenLoginName) !== null) {
+				$this->logger->warning('Password check failed for user {user}, but user is active. Token preserved.', [
+					'app' => 'core',
+					'user' => $tokenLoginName,
+				]);
+				return false;
+			}
+
+			// Legitimate password change or invalid user
+			// Invalidate the token
 			$this->tokenProvider->markPasswordInvalid($dbToken, $token);
-			// User is logged out
 			return false;
 		}