diff --git a/tests/test_selfservice.py b/tests/test_selfservice.py
index da3c94ddd926729d83cb6962a48292fd5f8c4597..c7c4b14c8ddeb6fbd1d020b3aed1241306a808f6 100644
--- a/tests/test_selfservice.py
+++ b/tests/test_selfservice.py
@@ -165,7 +165,6 @@ class TestSelfservice(UffdTestCase):
 		_user = request.user
 		self.assertEqual(_user.mail, user.mail)
 
-	@unittest.skip('See #26')
 	def test_token_mail_wrong_user(self):
 		self.login_as('user')
 		user = request.user
@@ -176,7 +175,7 @@ class TestSelfservice(UffdTestCase):
 		db.session.commit()
 		r = self.client.get(path=url_for('selfservice.token_mail', token=admin_token.token), follow_redirects=True)
 		dump('token_mail_wrong_user', r)
-		self.assertEqual(r.status_code, 200)
+		self.assertEqual(r.status_code, 403)
 		_user = request.user
 		_admin_user = self.get_admin()
 		self.assertEqual(_user.mail, user.mail)
diff --git a/uffd/selfservice/views.py b/uffd/selfservice/views.py
index ca1f0248e73d4b7d025a096689587a88239b0bf1..1ee8c668dd16897a699fd95527e3a3adc3bfce26 100644
--- a/uffd/selfservice/views.py
+++ b/uffd/selfservice/views.py
@@ -1,6 +1,6 @@
 import datetime
 
-from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session
+from flask import Blueprint, render_template, request, url_for, redirect, flash, current_app, session, abort
 from flask_babel import gettext as _, lazy_gettext
 
 from uffd.navbar import register_navbar
@@ -122,6 +122,8 @@ def token_mail(token):
 		return redirect(url_for('selfservice.index'))
 
 	user = User.query.filter_by(loginname=dbtoken.loginname).one()
+	if user != request.user:
+		abort(403, description=_('This link was generated for another user. Login as the correct user to continue.'))
 	user.set_mail(dbtoken.newmail)
 	flash(_('New mail set'))
 	db.session.delete(dbtoken)
diff --git a/uffd/translations/de/LC_MESSAGES/messages.mo b/uffd/translations/de/LC_MESSAGES/messages.mo
index 89920cdc366a7daa31d3fb1afc9fceef4be3562d..73bf24fe50496a1513b4d3dd910f143915714e7a 100644
Binary files a/uffd/translations/de/LC_MESSAGES/messages.mo and b/uffd/translations/de/LC_MESSAGES/messages.mo differ
diff --git a/uffd/translations/de/LC_MESSAGES/messages.po b/uffd/translations/de/LC_MESSAGES/messages.po
index 70e5f135a05d4ce7a2db7914eaf2ad24b9f2927e..da0a5199fc994833bcc9c085b0cfe810f62bdde9 100644
--- a/uffd/translations/de/LC_MESSAGES/messages.po
+++ b/uffd/translations/de/LC_MESSAGES/messages.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2021-09-04 21:53+0200\n"
+"POT-Creation-Date: 2021-09-05 00:47+0200\n"
 "PO-Revision-Date: 2021-05-25 21:18+0200\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language: de\n"
@@ -969,19 +969,27 @@ msgid "New password set"
 msgstr "Passwort geändert"
 
 #: uffd/selfservice/views.py:126
+msgid ""
+"This link was generated for another user. Login as the correct user to "
+"continue."
+msgstr ""
+"Dieser Link wurde für einen anderen Account erstellt. Melde dich mit dem "
+"richtigen Account an um Fortzufahren."
+
+#: uffd/selfservice/views.py:128
 msgid "New mail set"
 msgstr "E-Mail-Adresse geändert"
 
-#: uffd/selfservice/views.py:137
+#: uffd/selfservice/views.py:139
 msgid "Leaving roles is disabled"
 msgstr "Verlassen von Rollen ist deaktiviert"
 
-#: uffd/selfservice/views.py:144
+#: uffd/selfservice/views.py:146
 #, python-format
 msgid "You left role %(role_name)s"
 msgstr "Rolle %(role_name)s verlassen"
 
-#: uffd/selfservice/views.py:161 uffd/selfservice/views.py:181
+#: uffd/selfservice/views.py:163 uffd/selfservice/views.py:183
 #, python-format
 msgid "Mail to \"%(mail_address)s\" could not be sent!"
 msgstr "E-Mail an \"%(mail_address)s\" konnte nicht gesendet werden!"