diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
index fd37031e3b..28df76c58d 100644
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
@@ -87,9 +87,9 @@ public class SecurityConfig {
                 // This is because the flow enters AclFilter as well and needs to be whitelisted there
                 .matchers(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/login"),
                         ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL),
-                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL + "/forgotPassword"),
-                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL + "/verifyPasswordResetToken"),
-                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, USER_URL + "/resetPassword"))
+                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, USER_URL + "/forgotPassword"),
+                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, USER_URL + "/verifyPasswordResetToken"),
+                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.PUT, USER_URL + "/resetPassword"))
                 .permitAll()
                 .pathMatchers("/public/**").permitAll()
                 .anyExchange()
diff --git a/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego b/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego
index e28ec299fc..8302662c78 100644
--- a/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego
+++ b/app/server/appsmith-server/src/main/resources/public/appsmith/authz/acl.rego
@@ -23,10 +23,10 @@ url_allow = true {
 
 # All public URLs must go into this list. Anything not in this list requires an authenticated session to access
 public_operations = [
-    {"method" : "POST", "url" : "/api/v1/users/forgotPassword" },
+    {"method" : "GET", "url" : "/api/v1/users/forgotPassword" },
     {"method" : "POST", "url" : "/api/v1/users" },
-    {"method" : "POST", "url" : "/api/v1/users/verifyPasswordResetToken" },
-    {"method" : "POST", "url" : "/api/v1/users/resetPassword" },
+    {"method" : "GET", "url" : "/api/v1/users/verifyPasswordResetToken" },
+    {"method" : "PUT", "url" : "/api/v1/users/resetPassword" },
 ]
 
 # This is a global list of all the routes for all controllers. Any new controller that is written must
diff --git a/app/server/appsmith-server/src/main/resources/public/bundle.tar.gz b/app/server/appsmith-server/src/main/resources/public/bundle.tar.gz
index 68b8ba98b9..58618889e9 100644
Binary files a/app/server/appsmith-server/src/main/resources/public/bundle.tar.gz and b/app/server/appsmith-server/src/main/resources/public/bundle.tar.gz differ