diff --git a/controllers/user.go b/controllers/user.go
index 16be9a1d..125f81a3 100644
--- a/controllers/user.go
+++ b/controllers/user.go
@@ -473,6 +473,11 @@ func (c *ApiController) SetPassword() {
 		return
 	}
 
+	if targetUser.IsForbidden || targetUser.IsDeleted {
+		c.ResponseError(c.T("account:Failed to set password, the user is either forbidden or deleted"))
+		return
+	}
+
 	isAdmin := c.IsAdmin()
 	if isAdmin {
 		if oldPassword != "" {