diff --git a/src/routes/user.js b/src/routes/user.js
index a8dc4c3f9..1fab2d292 100644
--- a/src/routes/user.js
+++ b/src/routes/user.js
@@ -182,6 +182,9 @@ function verifyPassword(req, res, next) {
 
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
 
+    // Only allow admins or users, operating on themselves
+    if (req.params.userId && !(req.user.id === req.params.userId || req.user.admin)) return next(new HttpError(403, 'Not allowed'));
+
     user.verify(req.user.username, req.body.password, function (error) {
         if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect'));
         if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(403, 'Password incorrect'));