diff --git a/changelog/24373.txt b/changelog/24373.txt
new file mode 100644
index 0000000000..ae77aee6ca
--- /dev/null
+++ b/changelog/24373.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+http: Include PATCH in the list of allowed CORS methods
+```
\ No newline at end of file
diff --git a/http/cors.go b/http/cors.go
index 7381962073..2689a007db 100644
--- a/http/cors.go
+++ b/http/cors.go
@@ -18,6 +18,7 @@ var allowedMethods = []string{
 	http.MethodOptions,
 	http.MethodPost,
 	http.MethodPut,
+	http.MethodPatch,
 	"LIST", // LIST is not an official HTTP method, but Vault supports it.
 }
 
diff --git a/http/handler_test.go b/http/handler_test.go
index 92e1eacc46..b27cff8679 100644
--- a/http/handler_test.go
+++ b/http/handler_test.go
@@ -118,6 +118,28 @@ func TestHandler_parseMFAHandler(t *testing.T) {
 	}
 }
 
+// TestHandler_CORS_Patch verifies that http PATCH is included in the list of
+// allowed request methods
+func TestHandler_CORS_Patch(t *testing.T) {
+	core, _, _ := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	corsConfig := core.CORSConfig()
+	err := corsConfig.Enable(context.Background(), []string{addr}, nil)
+	require.NoError(t, err)
+	req, err := http.NewRequest(http.MethodOptions, addr+"/v1/sys/seal-status", nil)
+	require.NoError(t, err)
+
+	req.Header.Set("Origin", addr)
+	req.Header.Set("Access-Control-Request-Method", http.MethodPatch)
+
+	client := cleanhttp.DefaultClient()
+	resp, err := client.Do(req)
+	require.NoError(t, err)
+	require.Equal(t, http.StatusOK, resp.StatusCode)
+}
+
 func TestHandler_cors(t *testing.T) {
 	core, _, _ := vault.TestCoreUnsealed(t)
 	ln, addr := TestServer(t, core)