diff --git a/admin/inc/class.admin_denyaccess.inc.php b/admin/inc/class.admin_denyaccess.inc.php
index a5e3287f98..2acf6c4116 100644
--- a/admin/inc/class.admin_denyaccess.inc.php
+++ b/admin/inc/class.admin_denyaccess.inc.php
@@ -108,6 +108,11 @@ class admin_denyaccess
 	{
 		$location = $_GET['location'];
 
+		// for POST (not GET or cli call via setup_cmd_admin) validate CSRF token
+		if ($_SERVER['REQUEST_METHOD'] == 'POST')
+		{
+			Api\Csrf::validate($_POST['csrf_token'], __FILE__);
+		}
 		if ($_POST['submit'] || $_POST['cancel'])
 		{
 			if ($_POST['submit'])
@@ -137,6 +142,7 @@ class admin_denyaccess
 
 		$this->common_header();
 		$this->template->set_file('form','acl_manager_form.tpl');
+		$this->template->set_var('csrf_token', Api\Csrf::token(__FILE__));
 
 		$afn = Api\Accounts::username($this->account_id);
 
diff --git a/admin/templates/default/acl_manager_form.tpl b/admin/templates/default/acl_manager_form.tpl
index 0def47790c..234571108b 100644
--- a/admin/templates/default/acl_manager_form.tpl
+++ b/admin/templates/default/acl_manager_form.tpl
@@ -1,5 +1,6 @@
 <!-- BEGIN form -->
 <form method="POST" action="{form_action}">
+ <input type="hidden" name="csrf_token" value="{csrf_token}"/>
  <div align="left">
   <p>{lang_message}</p>
   <p>{select_values}</p>