diff --git a/core/modules/user/src/AccountForm.php b/core/modules/user/src/AccountForm.php
index 8b0149ebd5f..9199c73fc0e 100644
--- a/core/modules/user/src/AccountForm.php
+++ b/core/modules/user/src/AccountForm.php
@@ -127,8 +127,9 @@ abstract class AccountForm extends ContentEntityForm {
       // To skip the current password field, the user must have logged in via a
       // one-time link and have the token in the URL. Store this in $form_state
       // so it persists even on subsequent Ajax requests.
-      if (!$form_state->get('user_pass_reset')) {
-        $user_pass_reset = isset($_SESSION['pass_reset_' . $account->id()]) && Crypt::hashEquals($_SESSION['pass_reset_' . $account->id()], \Drupal::request()->query->get('pass-reset-token'));
+      if (!$form_state->get('user_pass_reset') && ($token = $this->getRequest()->get('pass-reset-token'))) {
+        $session_key = 'pass_reset_' . $account->id();
+        $user_pass_reset = isset($_SESSION[$session_key]) && Crypt::hashEquals($_SESSION[$session_key], $token);
         $form_state->set('user_pass_reset', $user_pass_reset);
       }
 
diff --git a/core/modules/user/src/Tests/UserPasswordResetTest.php b/core/modules/user/src/Tests/UserPasswordResetTest.php
index 420b97a480d..1b415faad77 100644
--- a/core/modules/user/src/Tests/UserPasswordResetTest.php
+++ b/core/modules/user/src/Tests/UserPasswordResetTest.php
@@ -140,6 +140,15 @@ class UserPasswordResetTest extends PageCacheTagsTestBase {
     $this->drupalPostForm(NULL, $edit, t('Submit'));
     $this->assertTrue( count($this->drupalGetMails(array('id' => 'user_password_reset'))) === $before + 1, 'Email sent when requesting password reset using email address.');
 
+    // Visit the user edit page without pass-reset-token and make sure it does
+    // not cause an error.
+    $resetURL = $this->getResetURL();
+    $this->drupalGet($resetURL);
+    $this->drupalPostForm(NULL, NULL, t('Log in'));
+    $this->drupalGet('user/' . $this->account->id() . '/edit');
+    $this->assertNoText('Expected user_string to be a string, NULL given');
+    $this->drupalLogout();
+
     // Create a password reset link as if the request time was 60 seconds older than the allowed limit.
     $timeout = $this->config('user.settings')->get('password_reset_timeout');
     $bogus_timestamp = REQUEST_TIME - $timeout - 60;