Can't verify CSRF token authenticity / Completed 422 Unprocessable Entity

Hello everybody,

I try using curl and the "destroy_path" to delete an entry in the Gitlab Container Registry.

curl -s -H "PRIVATE-TOKEN: ${TOKEN}" -X DELETE http://<HOSTNAME>/<PROJECTPATH>/container_registry/<ID>.json

But I always get the error:

The change you requested was rejected (422)

In the gitlab-rails/production.log I see the following error message:

Started DELETE "/<PROJECTPATH>/container_registry/<ID>.json" for xxx.xxx.xxx at 2018-08-10 08:42:31 +0200
Processing by Projects::Registry::RepositoriesController#destroy as JSON
  Parameters: {"namespace_id"=>"<PROJETNAME>", "project_id"=>"<PROJECTID>", "id"=>"<ID>", "repository"=>{}}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 1ms (ActiveRecord: 0.0ms)

ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
  lib/gitlab/middleware/multipart.rb:95:in `call'
  lib/gitlab/request_profiler/middleware.rb:14:in `call'
  lib/gitlab/middleware/go.rb:17:in `call'
  lib/gitlab/etag_caching/middleware.rb:11:in `call'
  lib/gitlab/middleware/read_only/controller.rb:28:in `call'
  lib/gitlab/middleware/read_only.rb:16:in `call'
  lib/gitlab/request_context.rb:18:in `call'
  lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
  lib/gitlab/middleware/release_env.rb:10:in `call'

I got the destroy_path using curl:
curl -s -H "Private-Token: ${TOKEN}" http://<HOSTNAME>/<PROJECTPATH>/container_registry.json?format=json | jq .[]

{
  "id": <ID>,
  "path": "<PROJECTPATH>/branch/<BRANCHNAME>",
  "location": "<HOSTNAME>/<PROJECTPATH>/branch/<BRANCHNAME>",
  "tags_path": "/<PROJECTPATH>/registry/repository/<ID>/tags?format=json",
  "destroy_path": "/<PROJECTPATH>/container_registry/<ID>.json"
}

I also created a personal access token https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html

OS: Debian
Package:
gitlab-ce
11.0.3-ce.0

I hope my desciption is complete and somebody can have a look at this.