diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6c8b7ced..6102a7a9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@
 
 - Removed unnecessary slice length check in `list.ExistInSlice` ([#2527](https://github.com/pocketbase/pocketbase/pull/2527); thanks @KunalSin9h).
 
+- Avoid mutating the cached request data on OAuth2 user create ([#2535](https://github.com/pocketbase/pocketbase/discussions/2535)).
+
 
 ## v0.16.0
 
diff --git a/apis/record_auth.go b/apis/record_auth.go
index 9e626c12..5bcf9d87 100644
--- a/apis/record_auth.go
+++ b/apis/record_auth.go
@@ -190,9 +190,10 @@ func (api *recordAuthApi) authWithOAuth2(c echo.Context) error {
 
 	form.SetBeforeNewRecordCreateFunc(func(createForm *forms.RecordUpsert, authRecord *models.Record, authUser *auth.AuthUser) error {
 		return createForm.DrySubmit(func(txDao *daos.Dao) error {
-			requestData := RequestData(c)
-			requestData.Data = form.CreateData
 			event.IsNewRecord = true
+			// clone the current request data and assign the form create data as its body data
+			requestData := *RequestData(c)
+			requestData.Data = form.CreateData
 
 			createRuleFunc := func(q *dbx.SelectQuery) error {
 				admin, _ := c.Get(ContextAdminKey).(*models.Admin)
@@ -205,7 +206,7 @@ func (api *recordAuthApi) authWithOAuth2(c echo.Context) error {
 				}
 
 				if *collection.CreateRule != "" {
-					resolver := resolvers.NewRecordFieldResolver(txDao, collection, requestData, true)
+					resolver := resolvers.NewRecordFieldResolver(txDao, collection, &requestData, true)
 					expr, err := search.FilterData(*collection.CreateRule).BuildExpr(resolver)
 					if err != nil {
 						return err