diff --git a/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs b/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
index 91c5be905440..19aab2cc83a6 100644
--- a/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
+++ b/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
@@ -7,7 +7,6 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Endpoints;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Logging.Abstractions;
 
 namespace Microsoft.AspNetCore.Cors.Infrastructure
 {
@@ -119,6 +118,9 @@ public CorsMiddleware(
         /// <inheritdoc />
         public Task Invoke(HttpContext context, ICorsPolicyProvider corsPolicyProvider)
         {
+            // Flag to indicate to other systems, that CORS middleware was run for this request
+            context.Items[CorsMiddlewareInvokedKey] = CorsMiddlewareInvokedValue;
+
             if (!context.Request.Headers.ContainsKey(CorsConstants.Origin))
             {
                 return _next(context);
@@ -137,9 +139,6 @@ private async Task InvokeCore(HttpContext context, ICorsPolicyProvider corsPolic
             //    fetch policy by name, prioritizing it above policy on middleware
             // 3. If there is no policy on middleware then use name on middleware
 
-            // Flag to indicate to other systems, e.g. MVC, that CORS middleware was run for this request
-            context.Items[CorsMiddlewareInvokedKey] = CorsMiddlewareInvokedValue;
-
             var endpoint = context.GetEndpoint();
 
             // Get the most significant CORS metadata for the endpoint
diff --git a/src/Middleware/CORS/test/UnitTests/CorsMiddlewareTests.cs b/src/Middleware/CORS/test/UnitTests/CorsMiddlewareTests.cs
index 08edb4d58b53..d6ceaa8f3860 100644
--- a/src/Middleware/CORS/test/UnitTests/CorsMiddlewareTests.cs
+++ b/src/Middleware/CORS/test/UnitTests/CorsMiddlewareTests.cs
@@ -876,5 +876,28 @@ public async Task Invoke_InvokeFlagSet()
             // Assert
             Assert.Contains(httpContext.Items, item => string.Equals(item.Key as string, "__CorsMiddlewareInvoked"));
         }
+
+        [Fact]
+        public async Task Invoke_WithoutOrigin_InvokeFlagSet()
+        {
+            // Arrange
+            var corsService = Mock.Of<ICorsService>();
+            var mockProvider = Mock.Of<ICorsPolicyProvider>();
+            var loggerFactory = NullLoggerFactory.Instance;
+
+            var middleware = new CorsMiddleware(
+                Mock.Of<RequestDelegate>(),
+                corsService,
+                loggerFactory,
+                "DefaultPolicyName");
+
+            var httpContext = new DefaultHttpContext();
+
+            // Act
+            await middleware.Invoke(httpContext, mockProvider);
+
+            // Assert
+            Assert.Contains(httpContext.Items, item => string.Equals(item.Key as string, "__CorsMiddlewareInvoked"));
+        }
     }
 }
diff --git a/src/Mvc/test/Mvc.FunctionalTests/CorsTestsBase.cs b/src/Mvc/test/Mvc.FunctionalTests/CorsTestsBase.cs
index 637a427b1112..413d2247c51b 100644
--- a/src/Mvc/test/Mvc.FunctionalTests/CorsTestsBase.cs
+++ b/src/Mvc/test/Mvc.FunctionalTests/CorsTestsBase.cs
@@ -282,7 +282,7 @@ public async Task DisableCors_PreFlight_ActionsCanOverride_ControllerLevel(strin
         }
 
         [Fact]
-        public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnController()
+        public async Task Cors_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnController()
         {
             // Arrange
             var url = "http://localhost/api/store/actionusingcontrollercorssettings";
@@ -314,7 +314,7 @@ public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpeci
         }
 
         [Fact]
-        public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnAction()
+        public async Task Cors_RunsBeforeOtherAuthorizationFilters_UsesPolicySpecifiedOnAction()
         {
             // Arrange
             var url = "http://localhost/api/store/actionwithcorssettings";
@@ -349,7 +349,7 @@ public async Task CorsFilter_RunsBeforeOtherAuthorizationFilters_UsesPolicySpeci
         }
 
         [Fact]
-        public async Task DisableCorsFilter_RunsBeforeOtherAuthorizationFilters()
+        public async Task DisableCors_RunsBeforeOtherAuthorizationFilters()
         {
             // Controller enables authorization and Cors, the action has a DisableCorsAttribute.
             // We expect the CorsMiddleware to execute and no-op
@@ -377,7 +377,7 @@ public async Task DisableCorsFilter_RunsBeforeOtherAuthorizationFilters()
         }
 
         [Fact]
-        public async Task CorsFilter_OnAction_PreferredOverController_AndAuthorizationFiltersRunAfterCors()
+        public async Task Cors_OnAction_PreferredOverController_AndAuthorizationFiltersRunAfterCors()
         {
             // Arrange
             var request = new HttpRequestMessage(
@@ -398,5 +398,21 @@ public async Task CorsFilter_OnAction_PreferredOverController_AndAuthorizationFi
             var content = await response.Content.ReadAsStringAsync();
             Assert.Empty(content);
         }
+
+        [Fact]
+        public async Task Cors_WithoutOriginHeader_Works()
+        {
+            // Arrange
+            var request = new HttpRequestMessage(
+                HttpMethod.Put,
+                "http://localhost/Cors/EditUserComment?userComment=abcd");
+
+            // Act
+            var response = await Client.SendAsync(request);
+
+            // Assert
+            await response.AssertStatusCodeAsync(HttpStatusCode.OK);
+            Assert.Empty(response.Headers);
+        }
     }
 }