diff --git a/info/magnolia/cms/security/CsrfTokenSecurityFilter.java b/info/magnolia/cms/security/CsrfTokenSecurityFilter.java
@@ -35,6 +35,7 @@
 import info.magnolia.audit.AuditLoggingUtil;
 import info.magnolia.cms.filters.AbstractMgnlFilter;
 import info.magnolia.context.Context;
+import lombok.SneakyThrows;
 import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -48,6 +49,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 import java.io.IOException;
+import java.net.URI;
 import java.security.SecureRandom;
 import java.util.*;
 
@@ -158,7 +160,9 @@
                 request.setAttribute(CSRF_ATTRIBUTE_NAME, token);
 
                 Cookie cookie = new Cookie(CSRF_ATTRIBUTE_NAME, token);
-                cookie.setPath(request.getServletPath());
+                // PATCH: encode cookie path
+                cookie.setPath(encodePath(request.getServletPath()));
+                // END PATCH
                 // A negative value means that the cookie is not stored persistently
                 cookie.setMaxAge(-1);
                 response.addCookie(cookie);
@@ -185,6 +189,11 @@
         return false;
     }
 
+    @SneakyThrows
+    private String encodePath(String path) {
+        return new URI(path).toASCIIString();
+    }
+
     private void csrfTokenMissing(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
         final String auditDetails = String.format("CSRF token not set while user '%s' attempted to access url '%s'.", contextProvider.get().getUser().getName(), url);
         handleError(request, response, auditDetails);