diff --git a/pkg/user/user_password_reset.go b/pkg/user/user_password_reset.go
index d2a534392..f92d8895b 100644
--- a/pkg/user/user_password_reset.go
+++ b/pkg/user/user_password_reset.go
@@ -65,7 +65,7 @@ func ResetPassword(s *xorm.Session, reset *PasswordReset) (userID int64, err err
 		return
 	}
 
-	err = removeTokens(s, user, TokenEmailConfirm)
+	err = removeTokens(s, user, TokenPasswordReset)
 	if err != nil {
 		return
 	}
diff --git a/pkg/user/user_test.go b/pkg/user/user_test.go
index b13c63396..488632f68 100644
--- a/pkg/user/user_test.go
+++ b/pkg/user/user_test.go
@@ -558,6 +558,28 @@ func TestUserPasswordReset(t *testing.T) {
 		_, err := ResetPassword(s, reset)
 		require.NoError(t, err)
 	})
+	t.Run("removes password reset token after use", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		token := "passwordresettesttoken"
+
+		reset := &PasswordReset{
+			Token:       token,
+			NewPassword: "12345",
+		}
+		_, err := ResetPassword(s, reset)
+		require.NoError(t, err)
+
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertMissing(t, "user_tokens", map[string]interface{}{
+			"token": token,
+			"kind":  TokenPasswordReset,
+		})
+	})
 	t.Run("without password", func(t *testing.T) {
 		db.LoadAndAssertFixtures(t)
 		s := db.NewSession()