diff --git a/src/Application/TakeoutSaaS.Application/Identity/Handlers/ResetAdminPasswordByTokenCommandHandler.cs b/src/Application/TakeoutSaaS.Application/Identity/Handlers/ResetAdminPasswordByTokenCommandHandler.cs
index 8df343d..1d1ace2 100644
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/ResetAdminPasswordByTokenCommandHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/ResetAdminPasswordByTokenCommandHandler.cs
@@ -46,12 +46,11 @@ public sealed class ResetAdminPasswordByTokenCommandHandler(
             throw new BusinessException(ErrorCodes.BadRequest, "重置链接无效或已过期");
         }
 
-        // 3. (空行后) 获取用户（可更新）并写入新密码哈希
-        var user = await userRepository.GetForUpdateAsync(userId.Value, cancellationToken)
+        // 3. (空行后) 获取用户（可更新，忽略租户过滤器）并写入新密码哈希
+        var user = await userRepository.GetForUpdateIgnoringTenantAsync(userId.Value, cancellationToken)
             ?? throw new BusinessException(ErrorCodes.NotFound, "用户不存在");
 
         user.PasswordHash = passwordHasher.HashPassword(user, password);
         await userRepository.SaveChangesAsync(cancellationToken);
     }
 }
-
diff --git a/src/Domain/TakeoutSaaS.Domain/Identity/Repositories/IIdentityUserRepository.cs b/src/Domain/TakeoutSaaS.Domain/Identity/Repositories/IIdentityUserRepository.cs
index 773854a..3f10ffb 100644
--- a/src/Domain/TakeoutSaaS.Domain/Identity/Repositories/IIdentityUserRepository.cs
+++ b/src/Domain/TakeoutSaaS.Domain/Identity/Repositories/IIdentityUserRepository.cs
@@ -39,6 +39,15 @@ public interface IIdentityUserRepository
     /// <returns>后台用户或 null。</returns>
     Task<IdentityUser?> GetForUpdateAsync(long userId, CancellationToken cancellationToken = default);
 
+    /// <summary>
+    /// 根据 ID 获取后台用户（用于更新，忽略租户过滤器）。
+    /// </summary>
+    /// <remarks>用于跨租户场景（如平台生成的重置密码链接）。</remarks>
+    /// <param name="userId">用户 ID。</param>
+    /// <param name="cancellationToken">取消标记。</param>
+    /// <returns>后台用户或 null。</returns>
+    Task<IdentityUser?> GetForUpdateIgnoringTenantAsync(long userId, CancellationToken cancellationToken = default);
+
     /// <summary>
     /// 按租户与关键字查询后台用户列表（仅读）。
     /// </summary>
diff --git a/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfIdentityUserRepository.cs b/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfIdentityUserRepository.cs
index a79df2f..2cf7e38 100644
--- a/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfIdentityUserRepository.cs
+++ b/src/Infrastructure/TakeoutSaaS.Infrastructure/Identity/Persistence/EfIdentityUserRepository.cs
@@ -50,6 +50,19 @@ public sealed class EfIdentityUserRepository(IdentityDbContext dbContext) : IIde
     public Task<IdentityUser?> GetForUpdateAsync(long userId, CancellationToken cancellationToken = default)
         => dbContext.IdentityUsers.FirstOrDefaultAsync(x => x.Id == userId, cancellationToken);
 
+    /// <summary>
+    /// 根据 ID 获取后台用户（用于更新，忽略租户过滤器）。
+    /// </summary>
+    /// <remarks>用于跨租户场景（如平台生成的重置密码链接）。</remarks>
+    /// <param name="userId">用户 ID。</param>
+    /// <param name="cancellationToken">取消标记。</param>
+    /// <returns>后台用户或 null。</returns>
+    public Task<IdentityUser?> GetForUpdateIgnoringTenantAsync(long userId, CancellationToken cancellationToken = default)
+        => dbContext.IdentityUsers
+            .IgnoreQueryFilters()
+            .Where(x => x.DeletedAt == null)
+            .FirstOrDefaultAsync(x => x.Id == userId, cancellationToken);
+
     /// <summary>
     /// 按租户与关键字搜索后台用户（只读）。
     /// </summary>