diff --git a/src/main/java/org/opensearch/security/user/User.java b/src/main/java/org/opensearch/security/user/User.java
index d18e587ee8..83c7ea2eb5 100644
--- a/src/main/java/org/opensearch/security/user/User.java
+++ b/src/main/java/org/opensearch/security/user/User.java
@@ -62,10 +62,10 @@ public class User implements Serializable, Writeable, CustomAttributesAware {
     /**
      * roles == backend_roles
      */
-    private final Set<String> roles = new HashSet<String>();
-    private final Set<String> securityRoles = new HashSet<String>();
+    private final Set<String> roles = Collections.synchronizedSet(new HashSet<String>());
+    private final Set<String> securityRoles = Collections.synchronizedSet(new HashSet<String>());
     private String requestedTenant;
-    private Map<String, String> attributes = new HashMap<>();
+    private Map<String, String> attributes = Collections.synchronizedMap(new HashMap<>());
     private boolean isInjected = false;
 
     public User(final StreamInput in) throws IOException {
@@ -73,7 +73,7 @@ public User(final StreamInput in) throws IOException {
         name = in.readString();
         roles.addAll(in.readList(StreamInput::readString));
         requestedTenant = in.readString();
-        attributes = in.readMap(StreamInput::readString, StreamInput::readString);
+        attributes = Collections.synchronizedMap(in.readMap(StreamInput::readString, StreamInput::readString));
         securityRoles.addAll(in.readList(StreamInput::readString));
     }
     
@@ -250,7 +250,7 @@ public void writeTo(StreamOutput out) throws IOException {
      */
     public synchronized final Map<String, String> getCustomAttributesMap() {
         if(attributes == null) {
-            attributes = new HashMap<>();
+            attributes = Collections.synchronizedMap(new HashMap<>());
         }
         return attributes;
     }
@@ -262,6 +262,6 @@ public final void addSecurityRoles(final Collection<String> securityRoles) {
     }
     
     public final Set<String> getSecurityRoles() {
-        return this.securityRoles == null ? Collections.emptySet() : Collections.unmodifiableSet(this.securityRoles);
+        return this.securityRoles == null ? Collections.synchronizedSet(Collections.emptySet()) : Collections.unmodifiableSet(this.securityRoles);
     }
 }