diff --git a/docs/en_US/release_notes_5_6.rst b/docs/en_US/release_notes_5_6.rst
index b6f1689d6..9d5060ba0 100644
--- a/docs/en_US/release_notes_5_6.rst
+++ b/docs/en_US/release_notes_5_6.rst
@@ -29,3 +29,4 @@ Bug fixes
 | `Issue #6619 <https://redmine.postgresql.org/issues/6619>`_ -  Fixed incorrect binary path issue when the user deletes the binary path from the preferences.
 | `Issue #6643 <https://redmine.postgresql.org/issues/6643>`_ -  Ensure that all the required options should be loaded when the Range data type is selected while creating a custom data type.
 | `Issue #6650 <https://redmine.postgresql.org/issues/6650>`_ -  Fixed dashboard server activity issue when active_since parameter is None.
+| `Issue #6664 <https://redmine.postgresql.org/issues/6664>`_ -  Fixed an issue where even if the user is locked, he can reset the password and can login into pgAdmin.
diff --git a/web/pgadmin/authenticate/__init__.py b/web/pgadmin/authenticate/__init__.py
index 66231ac56..e2a903bf4 100644
--- a/web/pgadmin/authenticate/__init__.py
+++ b/web/pgadmin/authenticate/__init__.py
@@ -53,7 +53,8 @@ def login():
     session['auth_source_manager'] = None
 
     username = form.data['email']
-    user = User.query.filter_by(username=username).first()
+    user = User.query.filter_by(username=username,
+                                auth_source=INTERNAL).first()
 
     if user:
         if user.login_attempts >= config.MAX_LOGIN_ATTEMPTS > 0:
@@ -108,7 +109,8 @@ def login():
 
         session['auth_source_manager'] = current_auth_obj
 
-        user.login_attempts = 0
+        if user:
+            user.login_attempts = 0
         db.session.commit()
 
         if 'auth_obj' in session:
diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py
index 60fd9218b..7fe8fed80 100644
--- a/web/pgadmin/browser/__init__.py
+++ b/web/pgadmin/browser/__init__.py
@@ -31,7 +31,8 @@ from flask_security.recoverable import reset_password_token_status, \
     generate_reset_password_token, update_password
 from flask_security.signals import reset_password_instructions_sent
 from flask_security.utils import config_value, do_flash, get_url, \
-    get_message, slash_url_suffix, login_user, send_mail, logout_user
+    get_message, slash_url_suffix, login_user, send_mail, logout_user, \
+    get_post_logout_redirect
 from flask_security.views import _security, view_commit, _ctx
 from werkzeug.datastructures import MultiDict
 
@@ -1329,6 +1330,12 @@ if hasattr(config, 'SECURITY_RECOVERABLE') and config.SECURITY_RECOVERABLE:
                 auth_obj = AuthSourceManager(form, [INTERNAL])
                 session['_auth_source_manager_obj'] = auth_obj.as_dict()
 
+                if user.login_attempts >= config.MAX_LOGIN_ATTEMPTS > 0:
+                    flash(gettext('You successfully reset your password but'
+                                  ' your account is locked. Please contact '
+                                  'the Administrator.'),
+                          'warning')
+                    return redirect(get_post_logout_redirect())
                 do_flash(*get_message('PASSWORD_RESET'))
                 login_user(user)
                 auth_obj = AuthSourceManager(form, [INTERNAL])