diff --git a/superset/commands/database/update.py b/superset/commands/database/update.py
index 8cc5e424519f8..fbf90694f48e6 100644
--- a/superset/commands/database/update.py
+++ b/superset/commands/database/update.py
@@ -72,7 +72,7 @@ def run(self) -> Model:
             self._properties["encrypted_extra"] = (
                 self._model.db_engine_spec.unmask_encrypted_extra(
                     self._model.encrypted_extra,
-                    self._properties["masked_encrypted_extra"],
+                    self._properties.pop("masked_encrypted_extra"),
                 )
             )
 
diff --git a/tests/unit_tests/commands/databases/update_test.py b/tests/unit_tests/commands/databases/update_test.py
index a7a1dd97c5eab..daf41b7506888 100644
--- a/tests/unit_tests/commands/databases/update_test.py
+++ b/tests/unit_tests/commands/databases/update_test.py
@@ -418,6 +418,54 @@ def test_remove_oauth_config_purges_tokens(
     database_needs_oauth2.purge_oauth2_tokens.assert_called()
 
 
+def test_update_oauth2_removes_masked_encrypted_extra_key(
+    mocker: MockerFixture,
+    database_needs_oauth2: MockerFixture,
+) -> None:
+    """
+    Test that the ``masked_encrypted_extra`` key is properly purged from the properties.
+    """
+    DatabaseDAO = mocker.patch("superset.commands.database.update.DatabaseDAO")  # noqa: N806
+    DatabaseDAO.find_by_id.return_value = database_needs_oauth2
+    DatabaseDAO.update.return_value = database_needs_oauth2
+
+    find_permission_view_menu = mocker.patch.object(
+        security_manager,
+        "find_permission_view_menu",
+    )
+    find_permission_view_menu.side_effect = [
+        None,
+        "[my_db].[schema2]",
+    ]
+    add_permission_view_menu = mocker.patch.object(
+        security_manager,
+        "add_permission_view_menu",
+    )
+
+    modified_oauth2_client_info = oauth2_client_info.copy()
+    modified_oauth2_client_info["scope"] = "scope-b"
+
+    UpdateDatabaseCommand(
+        1,
+        {
+            "masked_encrypted_extra": json.dumps(
+                {"oauth2_client_info": modified_oauth2_client_info}
+            )
+        },
+    ).run()
+
+    add_permission_view_menu.assert_not_called()
+    database_needs_oauth2.purge_oauth2_tokens.assert_called()
+    DatabaseDAO.update.assert_called_with(
+        database_needs_oauth2,
+        {
+            "encrypted_extra": json.dumps(
+                {"oauth2_client_info": modified_oauth2_client_info}
+            )
+        },
+    )
+
+
 def test_update_other_fields_dont_affect_oauth(
     mocker: MockerFixture,
     database_needs_oauth2: MockerFixture,