diff --git a/core/src/main/java/google/registry/model/console/PasswordResetRequest.java b/core/src/main/java/google/registry/model/console/PasswordResetRequest.java
index 11662e95eed..eab5b603d80 100644
--- a/core/src/main/java/google/registry/model/console/PasswordResetRequest.java
+++ b/core/src/main/java/google/registry/model/console/PasswordResetRequest.java
@@ -118,7 +118,9 @@ public PasswordResetRequest build() {
       checkArgumentNotNull(getInstance().requester, "Requester must be specified");
       checkArgumentNotNull(getInstance().destinationEmail, "Destination email must be specified");
       checkArgumentNotNull(getInstance().registrarId, "Registrar ID must be specified");
-      getInstance().verificationCode = UUID.randomUUID().toString();
+      if (getInstance().verificationCode == null) {
+        getInstance().verificationCode = UUID.randomUUID().toString();
+      }
       return super.build();
     }
 
diff --git a/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java b/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java
index 97b5772581f..954bc5536a3 100644
--- a/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java
+++ b/core/src/test/java/google/registry/ui/server/console/PasswordResetVerifyActionTest.java
@@ -85,6 +85,16 @@ void testSuccess_post_lock() throws Exception {
         .isTrue();
   }
 
+  @Test
+  void testFailure_post_replay() throws Exception {
+    createAction("POST", verificationCode, "newPassword1").run();
+    assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_OK);
+
+    // Attempting to reuse the same code should fail
+    createAction("POST", verificationCode, "newPassword2").run();
+    assertThat(response.getStatus()).isEqualTo(HttpServletResponse.SC_BAD_REQUEST);
+  }
+
   @Test
   void testFailure_get_invalidVerificationCode() throws Exception {
     createAction("GET", "invalid", null).run();