diff --git a/server/lib/user/user.get.js b/server/lib/user/user.get.js
index e99cb844d7..7e1aa0bcab 100644
--- a/server/lib/user/user.get.js
+++ b/server/lib/user/user.get.js
@@ -65,6 +65,8 @@ async function get(options) {
     if (userPlain.picture && userPlain.picture.toString) {
       userPlain.picture = userPlain.picture.toString('utf8');
     }
+    delete userPlain.password;
+    delete userPlain.telegram_user_id;
     return userPlain;
   });
 
diff --git a/server/test/security/user.test.js b/server/test/security/user.test.js
new file mode 100644
index 0000000000..3bb9aaa16b
--- /dev/null
+++ b/server/test/security/user.test.js
@@ -0,0 +1,16 @@
+const { expect } = require('chai');
+const { authenticatedRequest } = require('../controllers/request.test');
+
+describe('/api/v1/user/', () => {
+  it('should return all users without password', async () => {
+    await authenticatedRequest
+      .get('/api/v1/user?fields=password')
+      .expect('Content-Type', /json/)
+      .expect(200)
+      .then((res) => {
+        res.body.forEach((user) => {
+          expect(user).to.not.have.property('password');
+        });
+      });
+  });
+});