diff --git a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java
index 961cbfb31f..70f7b5bc3b 100644
--- a/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java
+++ b/web/src/main/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverter.java
@@ -49,7 +49,7 @@ public class ServerHttpBasicAuthenticationConverter implements Function<ServerWe
 			"" : authorization.substring(BASIC.length(), authorization.length());
 		byte[] decodedCredentials = base64Decode(credentials);
 		String decodedAuthz = new String(decodedCredentials);
-		String[] userParts = decodedAuthz.split(":");
+		String[] userParts = decodedAuthz.split(":", 2);
 
 		if(userParts.length != 2) {
 			return Mono.empty();
diff --git a/web/src/test/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverterTests.java b/web/src/test/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverterTests.java
index e09b787aed..fd799d8323 100644
--- a/web/src/test/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverterTests.java
+++ b/web/src/test/java/org/springframework/security/web/server/ServerHttpBasicAuthenticationConverterTests.java
@@ -79,6 +79,15 @@ public class ServerHttpBasicAuthenticationConverterTests {
 		assertThat(authentication.getCredentials()).isEqualTo("password");
 	}
 
+	@Test
+	public void applyWhenUserPasswordHasColon() {
+		Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "Basic dXNlcm5hbWU6cGFzczp3b3Jk"));
+
+		UsernamePasswordAuthenticationToken authentication = result.cast(UsernamePasswordAuthenticationToken.class).block();
+		assertThat(authentication.getPrincipal()).isEqualTo("user");
+		assertThat(authentication.getCredentials()).isEqualTo("pass:word");
+	}
+
 	@Test
 	public void applyWhenLowercaseSchemeThenAuthentication() {
 		Mono<Authentication> result = apply(this.request.header(HttpHeaders.AUTHORIZATION, "basic dXNlcjpwYXNzd29yZA=="));