diff --git a/changelog/unreleased/fix_capability_disable_self_password_change.md b/changelog/unreleased/fix_capability_disable_self_password_change.md
new file mode 100644
index 00000000000..86f59f7e127
--- /dev/null
+++ b/changelog/unreleased/fix_capability_disable_self_password_change.md
@@ -0,0 +1,7 @@
+Bugfix: Set capability response `disable_self_password_change` correctly
+
+The capability value `disable_self_password_change` was not being set correctly
+when `user.passwordProfile` is configured as a read-only attribute.
+
+https://github.com/owncloud/ocis/pull/9853
+https://github.com/owncloud/enterprise/issues/6849
diff --git a/services/frontend/pkg/revaconfig/config.go b/services/frontend/pkg/revaconfig/config.go
index 0df042ecd86..6ebd7ab4f49 100644
--- a/services/frontend/pkg/revaconfig/config.go
+++ b/services/frontend/pkg/revaconfig/config.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strconv"
 
 	"github.com/owncloud/ocis/v2/ocis-pkg/capabilities"
@@ -81,6 +82,11 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 		readOnlyUserAttributes = cfg.ReadOnlyUserAttributes
 	}
 
+	changePasswordDisabled := !cfg.LDAPServerWriteEnabled
+	if slices.Contains(readOnlyUserAttributes, "user.passwordProfile") {
+		changePasswordDisabled = true
+	}
+
 	return map[string]interface{}{
 		"shared": map[string]interface{}{
 			"jwt_secret":                cfg.TokenManager.JWTSecret,
@@ -218,7 +224,7 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 									"read_only_attributes":          readOnlyUserAttributes,
 									"create_disabled":               !cfg.LDAPServerWriteEnabled,
 									"delete_disabled":               !cfg.LDAPServerWriteEnabled,
-									"change_password_self_disabled": !cfg.LDAPServerWriteEnabled,
+									"change_password_self_disabled": changePasswordDisabled,
 								},
 							},
 							"checksums": map[string]interface{}{