diff --git a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
index f5b78e513..e19442457 100644
--- a/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
+++ b/rules/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
@@ -279,6 +279,17 @@ SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
     ver:'OWASP_CRS/3.2.0',\
     setvar:'tx.allowed_request_content_type=%{tx.allowed_request_content_type}|text/vcard'"
 
+# Allow modifying contacts via the web interface
+SecRule REQUEST_METHOD "@streq PUT" \
+    "id:9003321,\
+    phase:1,\
+    pass,\
+    t:none,\
+    nolog,\
+    chain"
+    SecRule REQUEST_FILENAME "@contains /remote.php/dav/addressbooks/" \
+        "t:none,\
+        ctl:ruleRemoveById=200002"
 
 # [ Calendar ]
 #