diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3abdb309..81a8ba94 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v1.8.15
+## mm/dd/2018
+
+1. [](#bugfix)
+    * Clean user post to ensure dynamically added form fields are not saved
+
 # v1.8.14
 ## 11/12/2018
 
diff --git a/classes/admin.php b/classes/admin.php
index 1e6b2e24..6fd9df28 100644
--- a/classes/admin.php
+++ b/classes/admin.php
@@ -638,12 +638,12 @@ class Admin
             $data[$type] = $obj;
         } elseif (preg_match('|users/|', $type)) {
             $obj = User::load(preg_replace('|users/|', '', $type));
-            $obj->merge($post);
+            $obj->merge($this->cleanUserPost($post));
 
             $data[$type] = $obj;
         } elseif (preg_match('|user/|', $type)) {
             $obj = User::load(preg_replace('|user/|', '', $type));
-            $obj->merge($post);
+            $obj->merge($this->cleanUserPost($post));
 
             $data[$type] = $obj;
         } elseif (preg_match('|config/|', $type)) {
@@ -688,6 +688,25 @@ class Admin
         return $data[$type];
     }
 
+    /**
+     * Clean user form post and remove extra stuff that may be passed along
+     *
+     * @param $post
+     * @return array
+     */
+    protected function cleanUserPost($post)
+    {
+        // Clean fields for all users
+        unset($post['hashed_password']);
+
+        // Clean field for users who shouldn't be able to modify these fields
+        if (!$this->authorize(['admin.user', 'admin.super'])) {
+            unset($post['access']);
+        }
+
+        return $post;
+    }
+
     protected function hasErrorMessage()
     {
         $msgs = $this->grav['messages']->all();