diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
index a0a539645d..b96dc705f9 100644
--- a/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverter.java
@@ -50,7 +50,8 @@ public final class ServerOneTimeTokenAuthenticationConverter implements ServerAu
 		Assert.notNull(exchange, "exchange cannot be null");
 		if (isFormEncodedRequest(exchange.getRequest())) {
 			return exchange.getFormData()
-				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data.getFirst(TOKEN)));
+				.mapNotNull((data) -> data.getFirst(TOKEN))
+				.map((data) -> OneTimeTokenAuthenticationToken.unauthenticated(data));
 		}
 		String token = resolveTokenFromRequest(exchange.getRequest());
 		if (!StringUtils.hasText(token)) {
diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
index 63f8d70ee8..63a729ac5e 100644
--- a/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/authentication/ott/ServerOneTimeTokenAuthenticationConverterTests.java
@@ -72,6 +72,18 @@ public class ServerOneTimeTokenAuthenticationConverterTests {
 		assertThat(authentication).isNull();
 	}
 
+	// gh-18973
+	@Test
+	void convertWhenNoTokenFormParameterThenNull() {
+		MockServerHttpRequest request = MockServerHttpRequest.post("/")
+			.contentType(MediaType.APPLICATION_FORM_URLENCODED)
+			.body("username=Max");
+
+		Authentication authentication = this.converter.convert(MockServerWebExchange.from(request)).block();
+
+		assertThat(authentication).isNull();
+	}
+
 	@Test
 	void convertWhenTokenEncodedFormParameterThenReturnOneTimeTokenAuthenticationToken() {
 		// @formatter:off