diff --git a/packages/backend/src/routers/passwd.js b/packages/backend/src/routers/passwd.js
index 6fada5ed..f2e4c714 100644
--- a/packages/backend/src/routers/passwd.js
+++ b/packages/backend/src/routers/passwd.js
@@ -62,7 +62,7 @@ router.post('/passwd', auth, express.json(), async (req, res, next)=>{
             return res.status(400).send('new_pass must be at least 6 characters long.')
         else{
             await db.write(
-                'UPDATE user SET password=?, `pass_recovery_token` = NULL WHERE `id` = ?',
+                'UPDATE user SET password=?, `pass_recovery_token` = NULL, `change_email_confirm_token` = NULL WHERE `id` = ?',
                 [await bcrypt.hash(req.body.new_pass, 8), req.user.id]
             );
             invalidate_cached_user(req.user);
diff --git a/packages/backend/src/routers/set-pass-using-token.js b/packages/backend/src/routers/set-pass-using-token.js
index 6f58592a..add30306 100644
--- a/packages/backend/src/routers/set-pass-using-token.js
+++ b/packages/backend/src/routers/set-pass-using-token.js
@@ -68,7 +68,7 @@ router.post('/set-pass-using-token', express.json(), async (req, res, next)=>{
 
     try{
         const info = await db.write(
-            'UPDATE user SET password=?, pass_recovery_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?',
+            'UPDATE user SET password=?, pass_recovery_token=NULL, change_email_confirm_token=NULL WHERE `uuid` = ? AND pass_recovery_token = ?',
             [await bcrypt.hash(req.body.password, 8), user_uid, token],
         );