diff --git a/ee/api/chalicelib/blueprints/bp_core_dynamic.py b/ee/api/chalicelib/blueprints/bp_core_dynamic.py
index 9abd4cab8..de2ae3bfb 100644
--- a/ee/api/chalicelib/blueprints/bp_core_dynamic.py
+++ b/ee/api/chalicelib/blueprints/bp_core_dynamic.py
@@ -364,7 +364,11 @@ def process_invitation_link():
         return {"errors": ["invitation not found"]}
     if user["expiredInvitation"]:
         return {"errors": ["expired invitation, please ask your admin to send a new one"]}
-    pass_token = users.allow_password_change(user_id=user["userId"])
+    if user["expiredChange"] is not None and not user["expiredChange"] \
+            and user["changePwdToken"] is not None and user["changePwdAge"] < -5 * 60:
+        pass_token = user["changePwdToken"]
+    else:
+        pass_token = users.allow_password_change(user_id=user["userId"])
     return Response(
         status_code=307,
         body='',
diff --git a/ee/api/chalicelib/core/users.py b/ee/api/chalicelib/core/users.py
index 6c3434255..ec96b68ac 100644
--- a/ee/api/chalicelib/core/users.py
+++ b/ee/api/chalicelib/core/users.py
@@ -541,7 +541,8 @@ def get_by_invitation_token(token, pass_token=None):
                         *,
                         DATE_PART('day',timezone('utc'::text, now()) \
                             - COALESCE(basic_authentication.invited_at,'2000-01-01'::timestamp ))>=1 AS expired_invitation,
-                        change_pwd_expire_at <= timezone('utc'::text, now()) AS expired_change
+                        change_pwd_expire_at <= timezone('utc'::text, now()) AS expired_change,
+                        (EXTRACT(EPOCH FROM current_timestamp-basic_authentication.change_pwd_expire_at))::BIGINT AS change_pwd_age
                     FROM public.users INNER JOIN public.basic_authentication USING(user_id)
                     WHERE invitation_token = %(token)s {"AND change_pwd_token = %(pass_token)s" if pass_token else ""}
                     LIMIT 1;""",