diff --git a/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java b/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java
index 9840d7b817c..80c14dd7ce0 100644
--- a/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java
+++ b/server/src/main/java/org/cloudfoundry/identity/uaa/security/web/UaaRequestMatcher.java
@@ -143,6 +143,10 @@ private boolean matchesAcceptHeader(String requestValue, List<String> expectedVa
         }
 
         List<MediaType> requestValues = MediaType.parseMediaTypes(requestValue);
+        if (requestValues.isEmpty()) {
+            // the "Accept" header is set, but blank -> cannot match any expected value
+            return false;
+        }
         for (String expectedValue : expectedValues) {
             if (MediaType.parseMediaType(expectedValue).includes(requestValues.get(0))) {
                 return true;