diff --git a/server/package.json b/server/package.json
index d038eed..0926485 100644
--- a/server/package.json
+++ b/server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nomad-server",
-  "version": "2.4.0",
+  "version": "2.4.1",
   "main": "src/index.js",
   "scripts": {
     "start": "node --experimental-sqlite src/index.js",
diff --git a/server/src/routes/auth.js b/server/src/routes/auth.js
index 1bf65d1..4fc1b6a 100644
--- a/server/src/routes/auth.js
+++ b/server/src/routes/auth.js
@@ -189,6 +189,9 @@ router.get('/me', authenticate, (req, res) => {
 
 // PUT /api/auth/me/password
 router.put('/me/password', authenticate, (req, res) => {
+  if (process.env.DEMO_MODE === 'true' && req.user.email === 'demo@nomad.app') {
+    return res.status(403).json({ error: 'Password change is disabled in demo mode.' });
+  }
   const { new_password } = req.body;
   if (!new_password) return res.status(400).json({ error: 'New password is required' });
   if (new_password.length < 8) return res.status(400).json({ error: 'Password must be at least 8 characters' });
@@ -200,6 +203,10 @@ router.put('/me/password', authenticate, (req, res) => {
 
 // DELETE /api/auth/me — delete own account
 router.delete('/me', authenticate, (req, res) => {
+  // Block demo user
+  if (process.env.DEMO_MODE === 'true' && req.user.email === 'demo@nomad.app') {
+    return res.status(403).json({ error: 'Account deletion is disabled in demo mode.' });
+  }
   // Prevent deleting last admin
   if (req.user.role === 'admin') {
     const adminCount = db.prepare("SELECT COUNT(*) as count FROM users WHERE role = 'admin'").get().count;