diff --git a/package.json b/package.json
index 8cb99dcf3..ce1c39590 100644
--- a/package.json
+++ b/package.json
@@ -354,5 +354,5 @@
     "js-yaml": "^3.14.1",
     "jpeg-js": "0.4.4"
   },
-  "version": "0.66.0"
+  "version": "0.66.2"
 }
diff --git a/server/routes/api/users.ts b/server/routes/api/users.ts
index c5171c7bf..acd0f8cdb 100644
--- a/server/routes/api/users.ts
+++ b/server/routes/api/users.ts
@@ -416,6 +416,7 @@ router.post(
   rateLimiter(RateLimiterStrategy.TenPerHour),
   async (ctx) => {
     const { id, code = "" } = ctx.request.body;
+    const actor = ctx.state.user;
     let user: User;
 
     if (id) {
@@ -424,13 +425,13 @@ router.post(
         rejectOnEmpty: true,
       });
     } else {
-      user = ctx.state.user;
+      user = actor;
     }
-    authorize(user, "delete", user);
+    authorize(actor, "delete", user);
 
     // If we're attempting to delete our own account then a confirmation code
     // is required. This acts as CSRF protection.
-    if ((!id || id === ctx.state.user.id) && emailEnabled) {
+    if ((!id || id === actor.id) && emailEnabled) {
       const deleteConfirmationCode = user.deleteConfirmationCode;
 
       if (
@@ -447,7 +448,7 @@ router.post(
 
     await userDestroyer({
       user,
-      actor: user,
+      actor,
       ip: ctx.request.ip,
     });