diff --git a/core/modules/update/src/Tests/UpdateContribTest.php b/core/modules/update/src/Tests/UpdateContribTest.php
index 923b5d59ae4e68f162f63df6f28fabf53cdb1d47..88cf378419c5cc46d20a0b165f91273aa8c33de7 100644
--- a/core/modules/update/src/Tests/UpdateContribTest.php
+++ b/core/modules/update/src/Tests/UpdateContribTest.php
@@ -345,6 +345,9 @@ function testUpdateBrokenFetchURL() {
     );
     $this->config('update_test.settings')->set('system_info', $system_info)->save();
 
+    // Ensure that the update information is correct before testing.
+    $this->drupalGet('admin/reports/updates');
+
     $xml_mapping = array(
       'drupal' => '0.0',
       'aaa_update_test' => '1_0',
diff --git a/core/modules/update/src/Tests/UpdateCoreTest.php b/core/modules/update/src/Tests/UpdateCoreTest.php
index 799d5a96adba46669a7f729dffacc6a9c1fa4ad6..baecde88c50396434fba8cad73946f2043ccc8ec 100644
--- a/core/modules/update/src/Tests/UpdateCoreTest.php
+++ b/core/modules/update/src/Tests/UpdateCoreTest.php
@@ -65,11 +65,17 @@ function testNoUpdatesAvailable() {
    */
   function testNormalUpdateAvailable() {
     $this->setSystemInfo('8.0.0');
+
+    // Ensure that the update check requires a token.
+    $this->drupalGet('admin/reports/updates/check');
+    $this->assertResponse(403, 'Accessing admin/reports/updates/check without a CSRF token results in access denied.');
+
     foreach (array(0, 1) as $minor_version) {
       foreach (array('-alpha1', '-beta1', '') as $extra_version) {
         $this->refreshUpdateStatus(array('drupal' => "$minor_version.1" . $extra_version));
         $this->standardTests();
-        $this->drupalGet('admin/reports/updates/check');
+        $this->drupalGet('admin/reports/updates');
+        $this->clickLink(t('Check manually'));
         $this->assertNoText(t('Security update required!'));
         $this->assertRaw(\Drupal::l("8.$minor_version.1" . $extra_version, Url::fromUri("http://example.com/drupal-8-$minor_version-1$extra_version-release")), 'Link to release appears.');
         $this->assertRaw(\Drupal::l(t('Download'), Url::fromUri("http://example.com/drupal-8-$minor_version-1$extra_version.tar.gz")), 'Link to download appears.');
@@ -131,7 +137,8 @@ function testMajorUpdateAvailable() {
           $this->setSystemInfo("8.$minor_version.$patch_version" . $extra_version);
           $this->refreshUpdateStatus(array('drupal' => '9'));
           $this->standardTests();
-          $this->drupalGet('admin/reports/updates/check');
+          $this->drupalGet('admin/reports/updates');
+          $this->clickLink(t('Check manually'));
           $this->assertNoText(t('Security update required!'));
           $this->assertRaw(\Drupal::l('9.0.0', Url::fromUri("http://example.com/drupal-9-0-0-release")), 'Link to release appears.');
           $this->assertRaw(\Drupal::l(t('Download'), Url::fromUri("http://example.com/drupal-9-0-0.tar.gz")), 'Link to download appears.');
diff --git a/core/modules/update/src/Tests/UpdateTestBase.php b/core/modules/update/src/Tests/UpdateTestBase.php
index de15b0b23a2793d7d91c8cc61b99cdda70c7dd49..9cb3c20fc05cccd8e28920cff8f9384563cb77b3 100644
--- a/core/modules/update/src/Tests/UpdateTestBase.php
+++ b/core/modules/update/src/Tests/UpdateTestBase.php
@@ -67,7 +67,8 @@ protected function refreshUpdateStatus($xml_map, $url = 'update-test') {
     // Save the map for UpdateTestController::updateTest() to use.
     $this->config('update_test.settings')->set('xml_map', $xml_map)->save();
     // Manually check the update status.
-    $this->drupalGet('admin/reports/updates/check');
+    $this->drupalGet('admin/reports/updates');
+    $this->clickLink(t('Check manually'));
   }
 
   /**
diff --git a/core/modules/update/src/Tests/UpdateUploadTest.php b/core/modules/update/src/Tests/UpdateUploadTest.php
index 1605f2e6a9991c02a1217f09bab72acb39653c80..39b6944b98e6508879e27bebfe9ac2e3b2916236 100644
--- a/core/modules/update/src/Tests/UpdateUploadTest.php
+++ b/core/modules/update/src/Tests/UpdateUploadTest.php
@@ -30,6 +30,9 @@ protected function setUp() {
    * Tests upload, extraction, and update of a module.
    */
   public function testUploadModule() {
+    // Ensure that the update information is correct before testing.
+    update_get_available(TRUE);
+
     // Images are not valid archives, so get one and try to install it. We
     // need an extra variable to store the result of drupalGetTestFiles()
     // since reset() takes an argument by reference and passing in a constant
diff --git a/core/modules/update/update.install b/core/modules/update/update.install
index b2223f10ae67d1997f61657ba1b309c5c2f4e11f..e8101295c1e22602c73a1cd351965a395949af6f 100644
--- a/core/modules/update/update.install
+++ b/core/modules/update/update.install
@@ -148,3 +148,20 @@ function _update_requirement_check($project, $type) {
   $requirement['value'] = \Drupal::l($requirement_label, new Url(_update_manager_access() ? 'update.report_update' : 'update.status'));
   return $requirement;
 }
+
+/**
+ * @addtogroup updates-8.1.x
+ * @{
+ */
+
+/**
+ * Rebuild the router to ensure admin/reports/updates/check has CSRF protection.
+ */
+function update_update_8001() {
+  // Empty update forces a call to drupal_flush_all_caches() which rebuilds the
+  // router.
+}
+
+/**
+ * @} End of "addtogroup updates-8.1.x".
+ */
diff --git a/core/modules/update/update.routing.yml b/core/modules/update/update.routing.yml
index 0049396cc94b1cc90f818128542fce6eb7160a53..d5b79ea3aed80eea2a0fd4b3dbf04589be46aa1e 100644
--- a/core/modules/update/update.routing.yml
+++ b/core/modules/update/update.routing.yml
@@ -21,6 +21,7 @@ update.manual_status:
     _controller: '\Drupal\update\Controller\UpdateController::updateStatusManually'
   requirements:
     _permission: 'administer site configuration'
+    _csrf_token: 'TRUE'
 
 update.report_install:
   path: '/admin/reports/updates/install'