diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index d2a13d10f9a23c0773fdeca7554562aa75d5f63e..345bd230a70d564a6ac2f1893a2099cf089ff827 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -283,6 +283,12 @@ function systemEndpoints(app) {
     [validatedRequest, flexUserRoleValid],
     async (request, response) => {
       try {
+        const user = await userFromSession(request, response);
+        if (!!user && user.role !== "admin") {
+          response.sendStatus(401).end();
+          return;
+        }
+
         const body = reqBody(request);
         const { newValues, error } = updateENV(body);
         if (process.env.NODE_ENV === "production") await dumpENV();
diff --git a/server/utils/http/index.js b/server/utils/http/index.js
index cb57c4a2894a01c9811363e8cff29453fbf96c2c..83e3fa5dd4787a4dcd640371acb2d978f5f04ed1 100644
--- a/server/utils/http/index.js
+++ b/server/utils/http/index.js
@@ -20,6 +20,8 @@ function makeJWT(info = {}, expiry = "30d") {
   return JWT.sign(info, process.env.JWT_SECRET, { expiresIn: expiry });
 }
 
+// Note: Only valid for finding users in multi-user mode
+// as single-user mode with password is not a "user"
 async function userFromSession(request, response = null) {
   if (!!response && !!response.locals?.user) {
     return response.locals.user;