That’s odd, because in the User content type the password attribute is marked as private (source) 
I didn’t try the myself, but maybe adding “password” to the list of privateAttributes in /config/api.js could help? See doc:
That’s odd, because in the User content type the password attribute is marked as private (source)
I didn’t try the myself, but maybe adding “password” to the list of privateAttributes in /config/api.js could help? See doc: