An issue exists in Joomla! prior to 3.9.17. Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
joomla joomla\\!