diff --git a/CHANGES b/CHANGES
index c3b175ea3..e1f0df5da 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2956,4 +2956,4 @@
 * mail: add brevo as relay provider
 * mail: add rbl6 check
 * eventlog: mail server change log
-
+* profile: avatar cannot be changed when profile is locked
diff --git a/src/server.js b/src/server.js
index f3f2a4b77..8da282131 100644
--- a/src/server.js
+++ b/src/server.js
@@ -178,7 +178,7 @@ async function initializeExpressSync() {
     router.post('/api/v1/profile/fallback_email',                  json, token, authorizeUser, routes.profile.canEditProfile, routes.users.verifyPassword, routes.profile.setFallbackEmail);
     router.post('/api/v1/profile/language',                        json, token, authorizeUser, routes.profile.setLanguage);
     router.get ('/api/v1/profile/avatar/:identifier',                                          routes.profile.getAvatarById); // this is not scoped so it can used directly in img tag
-    router.post('/api/v1/profile/avatar',                                token, authorizeUser, multipart, routes.profile.setAvatar); // avatar is not exposed in LDAP. so it's personal and not locked
+    router.post('/api/v1/profile/avatar',                                token, authorizeUser, routes.profile.canEditProfile, multipart, routes.profile.setAvatar); // avatar is not exposed in LDAP. so it's personal and not locked
     router.get ('/api/v1/profile/background_image',                      token, authorizeUser, routes.profile.getBackgroundImage);
     router.post('/api/v1/profile/background_image',                      token, authorizeUser, multipart, routes.profile.setBackgroundImage); // backgroundImage is not exposed in LDAP. so it's personal and not locked
     router.del ('/api/v1/profile/background_image',                      token, authorizeUser,            routes.profile.unsetBackgroundImage); // backgroundImage is not exposed in LDAP. so it's personal and not locked