diff --git a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
index ee5f9ce..09364c2 100644
--- a/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
+++ b/core/lib/Drupal/Core/Access/CsrfAccessCheck.php
@@ -48,9 +48,18 @@ public function appliesTo() {
    * {@inheritdoc}
    */
   public function access(Route $route, Request $request) {
-    // If this is not the controller request, return DENY now.
+    // If this is not the controller request ALLOW now.
     if ($request->attributes->get('_controller_request')) {
-      return static::DENY;
+      $conjunction = $route->getOption('_access_mode') ?: 'ANY';
+      // Return ALLOW if all access checks are needed.
+      if ($conjunction == 'ALL') {
+        return static::ALLOW;
+      }
+      // Return DENY otherwise, as another access checker should grant access
+      // for the route.
+      else {
+        return static::DENY;
+      }
     }
 
     return $this->csrfToken->validate($request->query->get('csrf'), $route->getRequirement('_csrf')) ? static::ALLOW : static::KILL;