diff --git a/CHANGELOG.md b/CHANGELOG.md
index 64f9884e8b..51bbb7470b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes for Craft CMS 3.x
 
+## Unreleased
+
+- Fixed a privilege escalation vulnerability.
+
 ## 3.9.5 - 2023-10-17
 
 - Added `pgpassword` and `pwd` to the list of keywords that Craft will look for when determining whether a value is sensitive and should be redacted from logs, etc.
diff --git a/src/controllers/UsersController.php b/src/controllers/UsersController.php
index 49a3dfd1ee..5a0a157d29 100644
--- a/src/controllers/UsersController.php
+++ b/src/controllers/UsersController.php
@@ -1206,7 +1206,7 @@ JS;
         // Is the site set to use email addresses as usernames?
         if ($generalConfig->useEmailAsUsername) {
             $user->username = $user->email;
-        } else {
+        } elseif ($isNewUser || $currentUser->admin || $isCurrentUser) {
             $user->username = $this->request->getBodyParam('username', ($user->username ?: $user->email));
         }