diff --git a/modules/backend/classes/Controller.php b/modules/backend/classes/Controller.php
index c401c815e..ebf0c1825 100644
--- a/modules/backend/classes/Controller.php
+++ b/modules/backend/classes/Controller.php
@@ -355,17 +355,31 @@ class Controller extends Extendable
         return $this->makeViewContent($result);
     }
 
+    /**
+     * Returns the AJAX handler for the current request, if available.
+     * @return string
+     */
+    public function getAjaxHandler()
+    {
+        if (!Request::ajax() || Request::method() != 'POST') {
+            return null;
+        }
+
+        if ($handler = Request::header('X_OCTOBER_REQUEST_HANDLER')) {
+            return trim($handler);
+        }
+
+        return null;
+    }
+
     /**
      * This method is used internally.
      * Invokes a controller event handler and loads the supplied partials.
      */
     protected function execAjaxHandlers()
     {
-        if (Request::method() != 'POST') {
-            return null;
-        }
 
-        if ($handler = trim(Request::header('X_OCTOBER_REQUEST_HANDLER'))) {
+        if ($handler = $this->getAjaxHandler()) {
             try {
                 /*
                  * Validate the handler name
diff --git a/modules/cms/classes/Controller.php b/modules/cms/classes/Controller.php
index a4a8a5977..c9bd323bb 100644
--- a/modules/cms/classes/Controller.php
+++ b/modules/cms/classes/Controller.php
@@ -566,17 +566,30 @@ class Controller
     // AJAX
     //
 
+    /**
+     * Returns the AJAX handler for the current request, if available.
+     * @return string
+     */
+    public function getAjaxHandler()
+    {
+        if (!Request::ajax() || Request::method() != 'POST') {
+            return null;
+        }
+
+        if ($handler = Request::header('X_OCTOBER_REQUEST_HANDLER')) {
+            return trim($handler);
+        }
+
+        return null;
+    }
+
     /**
      * Executes the page, layout, component and plugin AJAX handlers.
      * @return mixed Returns the AJAX Response object or null.
      */
     protected function execAjaxHandlers()
     {
-        if (Request::method() != 'POST') {
-            return null;
-        }
-
-        if ($handler = trim(Request::header('X_OCTOBER_REQUEST_HANDLER'))) {
+        if ($handler = $this->getAjaxHandler()) {
             try {
                 /*
                  * Validate the handler name
diff --git a/modules/system/controllers/Updates.php b/modules/system/controllers/Updates.php
index 9253c30c1..39d00edd8 100644
--- a/modules/system/controllers/Updates.php
+++ b/modules/system/controllers/Updates.php
@@ -43,6 +43,10 @@ class Updates extends Controller
 
         BackendMenu::setContext('October.System', 'system', 'updates');
         SettingsManager::setContext('October.System', 'updates');
+
+        if ($this->getAjaxHandler() == 'onExecuteStep') {
+            $this->useSecurityToken = false;
+        }
     }
 
     /**