diff --git a/src/starters/security/src/main/java/org/geoserver/cloud/security/gateway/GatewayPreAuthenticationFilter.java b/src/starters/security/src/main/java/org/geoserver/cloud/security/gateway/GatewayPreAuthenticationFilter.java
index 5b6a22cd0..b286df2d2 100644
--- a/src/starters/security/src/main/java/org/geoserver/cloud/security/gateway/GatewayPreAuthenticationFilter.java
+++ b/src/starters/security/src/main/java/org/geoserver/cloud/security/gateway/GatewayPreAuthenticationFilter.java
@@ -10,6 +10,7 @@
 import org.geoserver.security.filter.GeoServerSecurityFilter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 
 import java.io.IOException;
 
@@ -36,6 +37,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         String principalName = getPreAuthenticatedPrincipalName((HttpServletRequest) request);
 
         Authentication preAuth = SecurityContextHolder.getContext().getAuthentication();
+
+        // If a pre-auth token exists but the request has no principal name anymore, clear the
+        // context, or the user will stay authenticated
+        if (preAuth instanceof PreAuthenticatedAuthenticationToken && null == principalName) {
+            SecurityContextHolder.clearContext();
+            preAuth = null;
+        }
+
         if (preAuth == null || principalName != null) {
             log.debug("Authenticating as {}", principalName);
             doAuthenticate((HttpServletRequest) request, (HttpServletResponse) response);