diff --git a/packages/cli/src/controllers/passwordReset.controller.ts b/packages/cli/src/controllers/passwordReset.controller.ts
index 4b0ec6c9df..462ad22839 100644
--- a/packages/cli/src/controllers/passwordReset.controller.ts
+++ b/packages/cli/src/controllers/passwordReset.controller.ts
@@ -244,8 +244,10 @@ export class PasswordResetController {
 			throw new NotFoundError('');
 		}
 
+		const passwordHash = await hashPassword(validPassword);
+
 		await this.userRepository.update(userId, {
-			password: await hashPassword(validPassword),
+			password: passwordHash,
 			resetPasswordToken: null,
 			resetPasswordTokenExpiration: null,
 		});
@@ -268,6 +270,6 @@ export class PasswordResetController {
 			});
 		}
 
-		await this.externalHooks.run('user.password.update', [user.email, password]);
+		await this.externalHooks.run('user.password.update', [user.email, passwordHash]);
 	}
 }
diff --git a/packages/cli/test/integration/passwordReset.api.test.ts b/packages/cli/test/integration/passwordReset.api.test.ts
index 38c9042ddf..0b48f2cdd2 100644
--- a/packages/cli/test/integration/passwordReset.api.test.ts
+++ b/packages/cli/test/integration/passwordReset.api.test.ts
@@ -14,6 +14,7 @@ import {
 	randomValidPassword,
 } from './shared/random';
 import * as testDb from './shared/testDb';
+import { ExternalHooks } from '@/ExternalHooks';
 
 jest.mock('@/UserManagement/email/NodeMailer');
 
@@ -21,6 +22,7 @@ let globalOwnerRole: Role;
 let globalMemberRole: Role;
 let owner: User;
 let authlessAgent: SuperAgentTest;
+let externalHooks = utils.mockInstance(ExternalHooks);
 
 beforeAll(async () => {
 	const app = await utils.initTestServer({ endpointGroups: ['passwordReset'] });
@@ -36,6 +38,7 @@ beforeEach(async () => {
 	owner = await testDb.createUser({ globalRole: globalOwnerRole });
 
 	config.set('userManagement.isInstanceOwnerSetUp', true);
+	externalHooks.run.mockReset();
 });
 
 afterAll(async () => {
@@ -191,6 +194,11 @@ describe('POST /change-password', () => {
 		const comparisonResult = await compare(passwordToStore, storedPassword);
 		expect(comparisonResult).toBe(true);
 		expect(storedPassword).not.toBe(passwordToStore);
+
+		expect(externalHooks.run).toHaveBeenCalledWith('user.password.update', [
+			owner.email,
+			storedPassword,
+		]);
 	});
 
 	test('should fail with invalid inputs', async () => {
@@ -246,5 +254,7 @@ describe('POST /change-password', () => {
 		});
 
 		expect(response.statusCode).toBe(404);
+
+		expect(externalHooks.run).not.toHaveBeenCalled();
 	});
 });