diff --git a/app/views/users/show.api.rsb b/app/views/users/show.api.rsb
index f6a323265a..d84be914ec 100644
--- a/app/views/users/show.api.rsb
+++ b/app/views/users/show.api.rsb
@@ -9,7 +9,7 @@ api.user do
   api.updated_on @user.updated_on
   api.last_login_on     @user.last_login_on
   api.passwd_changed_on @user.passwd_changed_on
-  api.avatar_url gravatar_url(@user.mail, {rating: nil, size: nil, default: Setting.gravatar_default}) if Setting.gravatar_enabled?
+  api.avatar_url gravatar_url(@user.mail, {rating: nil, size: nil, default: Setting.gravatar_default}) if @user.mail && Setting.gravatar_enabled?
   api.twofa_scheme      @user.twofa_scheme if User.current.admin? || (User.current == @user)
   api.api_key    @user.api_key if User.current.admin? || (User.current == @user)
   api.status     @user.status if User.current.admin?
diff --git a/test/integration/api_test/users_test.rb b/test/integration/api_test/users_test.rb
index 26473356ae..8444500d9a 100644
--- a/test/integration/api_test/users_test.rb
+++ b/test/integration/api_test/users_test.rb
@@ -96,6 +96,24 @@ class Redmine::ApiTest::UsersTest < Redmine::ApiTest::Base
     assert_select 'user avatar_url', :text => %r|\Ahttps://gravatar.com/avatar/\h{32}\?default=robohash|
   end
 
+  test "GET /users/:id.xml should not return avatar_url when not set email address" do
+    user = User.find(2)
+    user.email_addresses.delete_all
+    assert_equal 'jsmith', user.login
+    assert_nil user.mail
+
+    Redmine::Configuration.with 'avatar_server_url' => 'https://gravatar.com' do
+      with_settings :gravatar_enabled => '1', :gravatar_default => 'robohash' do
+        get '/users/2.xml'
+      end
+    end
+
+    assert_response :success
+    assert_select 'user id', :text => '2'
+    assert_select 'user login', :text => 'jsmith'
+    assert_select 'user avatar_url', :count => 0
+  end
+
   test "GET /users/:id.json should return the user" do
     get '/users/2.json'