diff --git a/src/pretix/control/middleware.py b/src/pretix/control/middleware.py
index b5d995c28f..d40a27f3a8 100644
--- a/src/pretix/control/middleware.py
+++ b/src/pretix/control/middleware.py
@@ -139,7 +139,7 @@ class PermissionMiddleware:
             return redirect_to_url(reverse('control:user.settings') + '?next=' + quote(request.get_full_path()))
 
         if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \
-                and url_name not in self.EXCEPTIONS_2FA:
+                and url_name not in self.EXCEPTIONS_2FA and not request.user.needs_password_change:
             return redirect_to_url(reverse('control:user.settings.2fa'))
 
         if 'event' in url.kwargs and 'organizer' in url.kwargs: