diff --git a/docs/en_US/release_notes_4_9.rst b/docs/en_US/release_notes_4_9.rst
index aebec3cc3..8e0dc29f3 100644
--- a/docs/en_US/release_notes_4_9.rst
+++ b/docs/en_US/release_notes_4_9.rst
@@ -25,4 +25,5 @@ Bug fixes
 | `Bug #4317 <https://redmine.postgresql.org/issues/4317>`_ - Ensure that browser auto-fill doesn't cause Help pages to be opened unexpectedly.
 | `Bug #4320 <https://redmine.postgresql.org/issues/4320>`_ - Fix issue where SSH tunnel connection using password is failing, it's regression of Master Password.
 | `Bug #4329 <https://redmine.postgresql.org/issues/4329>`_ - Fix an initialisation error when two functions with parameters are debugged in parallel.
-| `Bug #4343 <https://redmine.postgresql.org/issues/4343>`_ - Fix issue where property dialog of column should open properly for EPAS v12.
\ No newline at end of file
+| `Bug #4343 <https://redmine.postgresql.org/issues/4343>`_ - Fix issue where property dialog of column should open properly for EPAS v12.
+| `Bug #4350 <https://redmine.postgresql.org/issues/4350>`_ - Ensure we include the CSRF token when uploading files.
\ No newline at end of file
diff --git a/web/pgadmin/misc/file_manager/static/js/utility.js b/web/pgadmin/misc/file_manager/static/js/utility.js
index 0d83058de..1403d98f2 100644
--- a/web/pgadmin/misc/file_manager/static/js/utility.js
+++ b/web/pgadmin/misc/file_manager/static/js/utility.js
@@ -1466,9 +1466,14 @@ define([
             '<a href="javascript:void(0);" class="fa fa-trash dz_file_remove" data-dz-remove></a>' +
             '</div>';
 
+          // We need to append our csrf token with dropzone's ajax request header
+          let csrfToken = {};
+          csrfToken[pgAdmin.csrf_token_header] = pgAdmin.csrf_token;
+
           $('div#multiple-uploads').dropzone({
             paramName: 'newfile',
             url: pgAdmin.FileUtils.fileConnector,
+            headers: csrfToken,
             maxFilesize: fileSize,
             maxFiles: config.upload.number,
             addRemoveLinks: true,