diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d45603e..587710a8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes
 
+## WIP
+
+- Fix not allowed user role modification by intercepting request
+
 ## 2.3.7 (2023-01-31)
 
 - Batch update collection items state
diff --git a/modules/System/Controller/Users.php b/modules/System/Controller/Users.php
index 78f844d0..c53c1706 100644
--- a/modules/System/Controller/Users.php
+++ b/modules/System/Controller/Users.php
@@ -82,6 +82,11 @@ public function save() {
             return $this->stop(['error' => 'User data is missing'], 412);
         }
 
+        // don't allow to change role if not allowed
+        if (isset($user['role']) && !$this->isAllowed('app/users/manage')) {
+            unset($user['role']);
+        }
+
         $user['_modified'] = time();
         $isUpdate = isset($user['_id']);