Why this matters
The bug. The endpoint blindly trusts every field on the DTO. The body is *user-controlled*; Role should be controlled by an admin-only mutation.
The fix. Don't accept Role on this DTO at all — define a UserProfileDto with only the fields the user can edit. A separate AdminUserDto carries Role and the endpoint that uses it requires admin authn. Inline, an IsInRole guard is acceptable — Bugdle accepts that or a deletion-style comment.
Pattern. This is *mass assignment* (Rails community named it after a CVE in 2012). Modern frameworks ship explicit-allowlist binders to make it harder, but the architectural fix is having the right DTO.
Review heuristic
Every endpoint that updates a user-owned object needs an explicit allowlist of fields it accepts. Object.assign and equivalents on raw request bodies are the smoking gun.
External reference: CWE-269: Improper Privilege Management.
↳ GitHub's 2012 mass-assignment CVE; CWE-915.