diff --git a/clients/cli/devices.c b/clients/cli/devices.c
index 6a9bb77b7c..3e5e49d9a6 100644
--- a/clients/cli/devices.c
+++ b/clients/cli/devices.c
@@ -53,7 +53,7 @@ ap_wpa_rsn_flags_to_string (NM80211ApSecurityFlags flags, NMMetaAccessorGetType
 		flags_str[i++] = "802.1X";
 	if (flags & NM_802_11_AP_SEC_KEY_MGMT_SAE)
 		flags_str[i++] = "sae";
-	if (flags & NM_802_11_AP_SEC_KEY_MGMT_OWE)
+	if (NM_FLAGS_ANY (flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
 		flags_str[i++] = "owe";
 
 	/* Make sure you grow flags_str when adding items here. */
@@ -1214,7 +1214,7 @@ fill_output_access_point (gpointer data, gpointer user_data)
 	if (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_SAE) {
 		g_string_append (security_str, "WPA3 ");
 	}
-	if (rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE) {
+	if (NM_FLAGS_ANY (rsn_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)) {
 		g_string_append (security_str, "OWE ");
 	}
 	if (   (wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_802_1X)
@@ -3690,8 +3690,12 @@ do_device_wifi_connect (const NMCCommand *cmd, NmCli *nmc, int argc, const char
 
 	/* Set password for WEP or WPA-PSK. */
 	if (   (ap_flags & NM_802_11_AP_FLAGS_PRIVACY)
-	    || (ap_wpa_flags != NM_802_11_AP_SEC_NONE && !(ap_wpa_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE))
-	    || (ap_rsn_flags != NM_802_11_AP_SEC_NONE && !(ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE))) {
+	    || (   ap_wpa_flags != NM_802_11_AP_SEC_NONE
+	        && !NM_FLAGS_ANY (ap_wpa_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |
+	                                        NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
+	    || (   ap_rsn_flags != NM_802_11_AP_SEC_NONE
+	        && !NM_FLAGS_ANY (ap_rsn_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |
+	                                        NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))) {
 		const char *con_password = NULL;
 		NMSettingWirelessSecurity *s_wsec = NULL;
 
diff --git a/libnm-core/nm-dbus-interface.h b/libnm-core/nm-dbus-interface.h
index 28ee89bfbe..7d3482622f 100644
--- a/libnm-core/nm-dbus-interface.h
+++ b/libnm-core/nm-dbus-interface.h
@@ -351,6 +351,8 @@ typedef enum { /*< underscore_name=nm_802_11_ap_flags, flags >*/
  * supported
  * @NM_802_11_AP_SEC_KEY_MGMT_OWE: WPA/RSN Opportunistic Wireless Encryption is
  * supported
+ * @NM_802_11_AP_SEC_KEY_MGMT_OWE_TM: WPA/RSN Opportunistic Wireless Encryption
+ * transition mode is supported. Since: 1.26.
  *
  * 802.11 access point security and authentication flags.  These flags describe
  * the current security requirements of an access point as determined from the
@@ -370,6 +372,7 @@ typedef enum { /*< underscore_name=nm_802_11_ap_security_flags, flags >*/
 	NM_802_11_AP_SEC_KEY_MGMT_802_1X = 0x00000200,
 	NM_802_11_AP_SEC_KEY_MGMT_SAE    = 0x00000400,
 	NM_802_11_AP_SEC_KEY_MGMT_OWE    = 0x00000800,
+	NM_802_11_AP_SEC_KEY_MGMT_OWE_TM = 0x00001000,
 } NM80211ApSecurityFlags;
 
 /**
diff --git a/libnm-core/nm-setting-wireless.c b/libnm-core/nm-setting-wireless.c
index 2ef51088ea..124f9c45cf 100644
--- a/libnm-core/nm-setting-wireless.c
+++ b/libnm-core/nm-setting-wireless.c
@@ -222,8 +222,8 @@ nm_setting_wireless_ap_security_compatible (NMSettingWireless *s_wireless,
 			    && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_SAE))
 				return FALSE;
 		} else if (!strcmp (key_mgmt, "owe")) {
-			if (   !(ap_wpa & NM_802_11_AP_SEC_KEY_MGMT_OWE)
-			    && !(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_OWE))
+			if (   !NM_FLAGS_ANY (ap_wpa, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)
+			    && !NM_FLAGS_ANY (ap_rsn, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
 				return FALSE;
 		}
 
diff --git a/libnm-core/nm-utils.c b/libnm-core/nm-utils.c
index 05846c50aa..c88afb3238 100644
--- a/libnm-core/nm-utils.c
+++ b/libnm-core/nm-utils.c
@@ -1266,7 +1266,7 @@ nm_utils_security_valid (NMUtilsSecurityType type,
 			return FALSE;
 		if (!have_ap)
 			return TRUE;
-		if (!(ap_rsn & NM_802_11_AP_SEC_KEY_MGMT_OWE))
+		if (!NM_FLAGS_ANY (ap_rsn, NM_802_11_AP_SEC_KEY_MGMT_OWE | NM_802_11_AP_SEC_KEY_MGMT_OWE_TM))
 			return FALSE;
 		return TRUE;
 	case NMU_SEC_INVALID:
diff --git a/src/devices/wifi/nm-wifi-ap.c b/src/devices/wifi/nm-wifi-ap.c
index e427c86fbd..b0aaf3e9b2 100644
--- a/src/devices/wifi/nm-wifi-ap.c
+++ b/src/devices/wifi/nm-wifi-ap.c
@@ -913,7 +913,8 @@ nm_wifi_ap_class_init (NMWifiAPClass *ap_class)
 	| NM_802_11_AP_SEC_KEY_MGMT_PSK \
 	| NM_802_11_AP_SEC_KEY_MGMT_802_1X \
 	| NM_802_11_AP_SEC_KEY_MGMT_SAE \
-	| NM_802_11_AP_SEC_KEY_MGMT_OWE )
+	| NM_802_11_AP_SEC_KEY_MGMT_OWE \
+	| NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)
 
 	GObjectClass *object_class = G_OBJECT_CLASS (ap_class);
 	NMDBusObjectClass *dbus_object_class = NM_DBUS_OBJECT_CLASS (ap_class);
diff --git a/src/devices/wifi/nm-wifi-utils.c b/src/devices/wifi/nm-wifi-utils.c
index 0903dc8bba..6853852562 100644
--- a/src/devices/wifi/nm-wifi-utils.c
+++ b/src/devices/wifi/nm-wifi-utils.c
@@ -760,7 +760,8 @@ nm_wifi_utils_complete_connection (GBytes *ap_ssid,
 		              NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, "open",
 		              NULL);
 	} else if (   (key_mgmt && !strcmp (key_mgmt, "owe"))
-	           || (ap_rsn_flags & NM_802_11_AP_SEC_KEY_MGMT_OWE)) {
+	           || NM_FLAGS_ANY (ap_rsn_flags, NM_802_11_AP_SEC_KEY_MGMT_OWE |
+	                                          NM_802_11_AP_SEC_KEY_MGMT_OWE_TM)) {
 		g_object_set (s_wsec,
 		              NM_SETTING_WIRELESS_SECURITY_KEY_MGMT, "owe",
 		              NM_SETTING_WIRELESS_SECURITY_AUTH_ALG, "open",
diff --git a/src/supplicant/nm-supplicant-interface.c b/src/supplicant/nm-supplicant-interface.c
index 1c7b9a4213..6bbeb1ebcd 100644
--- a/src/supplicant/nm-supplicant-interface.c
+++ b/src/supplicant/nm-supplicant-interface.c
@@ -702,6 +702,19 @@ _bss_info_properties_changed (NMSupplicantInterface *self,
 		p_max_rate_has = TRUE;
 		g_variant_unref (v_v);
 	}
+
+	v_v = nm_g_variant_lookup_value (properties, "WPA", G_VARIANT_TYPE_VARDICT);
+	if (v_v) {
+		bss_info->wpa_flags = security_from_vardict (v_v);
+		g_variant_unref (v_v);
+	}
+
+	v_v = nm_g_variant_lookup_value (properties, "RSN", G_VARIANT_TYPE_VARDICT);
+	if (v_v) {
+		bss_info->rsn_flags = security_from_vardict (v_v);
+		g_variant_unref (v_v);
+	}
+
 	v_v = nm_g_variant_lookup_value (properties, "IEs", G_VARIANT_TYPE_BYTESTRING);
 	if (v_v) {
 		gboolean p_owe_transition_mode;
@@ -715,27 +728,16 @@ _bss_info_properties_changed (NMSupplicantInterface *self,
 		g_variant_unref (v_v);
 
 		if (p_owe_transition_mode)
-			bss_info->rsn_flags |= NM_802_11_AP_SEC_KEY_MGMT_OWE;
+			bss_info->rsn_flags |= NM_802_11_AP_SEC_KEY_MGMT_OWE_TM;
 		else
-			bss_info->rsn_flags &= ~NM_802_11_AP_SEC_KEY_MGMT_OWE;
+			bss_info->rsn_flags &= ~NM_802_11_AP_SEC_KEY_MGMT_OWE_TM;
 
 		bss_info->metered = p_metered;
 	}
+
 	if (p_max_rate_has)
 		bss_info->max_rate = p_max_rate / 1000u;
 
-	v_v = nm_g_variant_lookup_value (properties, "WPA", G_VARIANT_TYPE_VARDICT);
-	if (v_v) {
-		bss_info->wpa_flags = security_from_vardict (v_v);
-		g_variant_unref (v_v);
-	}
-
-	v_v = nm_g_variant_lookup_value (properties, "RSN", G_VARIANT_TYPE_VARDICT);
-	if (v_v) {
-		bss_info->rsn_flags = security_from_vardict (v_v);
-		g_variant_unref (v_v);
-	}
-
 	_bss_info_changed_emit (self, bss_info, TRUE);
 }