diff --git a/api/mfa/mfa.go b/api/mfa/mfa.go
index caf88634e3535..c89f06aed55ae 100644
--- a/api/mfa/mfa.go
+++ b/api/mfa/mfa.go
@@ -128,6 +128,9 @@ func MFAResponseFromContext(ctx context.Context) (*proto.MFAAuthenticateResponse
 		if !ok {
 			return nil, trace.BadParameter("unexpected context value type %T", val)
 		}
+		if mfaResp == nil {
+			return nil, trace.NotFound("mfa response not found in the context")
+		}
 		return mfaResp, nil
 	}
 	return nil, trace.NotFound("mfa response not found in the context")
diff --git a/lib/web/users.go b/lib/web/users.go
index e9df08f7bbd41..e8305d77e5bbd 100644
--- a/lib/web/users.go
+++ b/lib/web/users.go
@@ -27,6 +27,7 @@ import (
 	"github.com/julienschmidt/httprouter"
 
 	"github.com/gravitational/teleport/api/client/proto"
+	"github.com/gravitational/teleport/api/mfa"
 	"github.com/gravitational/teleport/api/types"
 	wantypes "github.com/gravitational/teleport/lib/auth/webauthntypes"
 	"github.com/gravitational/teleport/lib/httplib"
@@ -155,7 +156,11 @@ func updateUser(r *http.Request, m userAPIGetter, createdBy string) (*ui.User, e
 		return nil, trace.Wrap(err)
 	}
 
-	user, err := m.GetUser(r.Context(), req.Name, false)
+	// Remove the MFA resp from the context before getting the user.
+	// Otherwise, it will be consumed before the Update which actually
+	// requires the MFA.
+	getUserCtx := mfa.ContextWithMFAResponse(r.Context(), nil)
+	user, err := m.GetUser(getUserCtx, req.Name, false)
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}