diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php
index 83aa0d1580..426ebaae10 100644
--- a/wp-admin/options-general.php
+++ b/wp-admin/options-general.php
@@ -112,7 +112,7 @@ if ( $new_admin_email && $new_admin_email != get_option('admin_email') ) : ?>
 	);
 	printf(
 		' <a href="%1$s">%2$s</a>',
-		esc_url( admin_url( 'options.php?dismiss=new_admin_email' ) ),
+		esc_url( wp_nonce_url( admin_url( 'options.php?dismiss=new_admin_email' ), 'dismiss-' . get_current_blog_id() . '-new_admin_email' ) ),
 		__( 'Cancel' )
 	);
 ?></p>
diff --git a/wp-admin/options.php b/wp-admin/options.php
index 45558dfbd9..f39a0aac1a 100644
--- a/wp-admin/options.php
+++ b/wp-admin/options.php
@@ -66,6 +66,7 @@ if ( is_multisite() ) {
 		wp_redirect( admin_url( $redirect ) );
 		exit;
 	} elseif ( ! empty( $_GET['dismiss'] ) && 'new_admin_email' == $_GET['dismiss'] ) {
+		check_admin_referer( 'dismiss-' . get_current_blog_id() . '-new_admin_email' );
 		delete_option( 'adminhash' );
 		delete_option( 'new_admin_email' );
 		wp_redirect( admin_url( 'options-general.php?updated=true' ) );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5f15afc2e9..5055e6086d 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.6-beta2-38005';
+$wp_version = '4.6-beta2-38006';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.