diff --git a/packages/rocketchat-file-upload/server/lib/FileUpload.js b/packages/rocketchat-file-upload/server/lib/FileUpload.js
index 61360bb31700..444c83ace043 100644
--- a/packages/rocketchat-file-upload/server/lib/FileUpload.js
+++ b/packages/rocketchat-file-upload/server/lib/FileUpload.js
@@ -11,6 +11,7 @@ import { settings } from 'meteor/rocketchat:settings';
 import * as Models from 'meteor/rocketchat:models';
 import { FileUpload as _FileUpload } from '../../lib/FileUpload';
 import { roomTypes } from 'meteor/rocketchat:utils';
+import { hasPermission } from 'meteor/rocketchat:authorization';
 
 const cookie = new Cookies();
 
@@ -86,6 +87,9 @@ export const FileUpload = Object.assign(_FileUpload, {
 		if (settings.get('Accounts_AvatarResize') !== true) {
 			return;
 		}
+		if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
+			throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
+		}
 
 		const tempFilePath = UploadFS.getTempFilePath(file._id);
 
@@ -207,6 +211,9 @@ export const FileUpload = Object.assign(_FileUpload, {
 	},
 
 	avatarsOnFinishUpload(file) {
+		if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
+			throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
+		}
 		// update file record to match user's username
 		const user = Models.Users.findOneById(file.userId);
 		const oldAvatar = Models.Avatars.findOneByName(user.username);