CSRF token is broken after update


I have updated from 4.62 to 4.8 and now I have a number of issues that appear related to the CSRF token. A sample log entry:

2024-06-13 17:27:35 error: [Cake\Http\Exception\InvalidCsrfTokenException] CSRF token from either the request body or request headers did not match or is missing. in /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php on line 419
Request URL: /users/recover.json?api-version=v2
Referer URL: https://passwords.redacted.ca/auth/login?redirect=%2Fapp%2Fpasswords&locale=en-UK
Client IP:

Users logged in can continue to log in but email notifications are no longer sent. Users logging in from a new browser are unable to log in. They receive a message “Access to this service requires an invitation”. I cannot update settings.

I have read related issues and I have tried deleting cookies without success. Any help would be appreciated.