diff --git a/backend/app/middleware/validation.py b/backend/app/middleware/validation.py
index 2b8d6cd..04dc30f 100644
--- a/backend/app/middleware/validation.py
+++ b/backend/app/middleware/validation.py
@@ -44,7 +44,7 @@ class RequestValidator:
         # Security patterns to block
         self.malicious_patterns = [
             # SQL injection patterns
-            r"(union|select|insert|update|delete|drop|create|alter)\s+",
+            r"\b(union|select|insert|update|delete|drop|create|alter)\b\s+",
             r"vbscript:",                       # vbscript protocol injection
             r"\b(onload|onerror|onclick)\s*=",  # HTML event handler attribute injection
             r"<\s*script[^>]*>",
@@ -59,7 +59,7 @@ class RequestValidator:
 
             # Command injection (removed $ to allow MongoDB operators in controlled contexts)
             r"[;&|`](?!\s*$)",  # Allow $ but not as command separator
-            r"(rm|wget|curl|nc|bash|sh|cmd|powershell)\s+",
+            r"\b(rm|wget|curl|nc|bash|sh|cmd|powershell)\b\s+",
 
             # MongoDB injection — NoSQL operator abuse
             r"\$where|\$expr|\$function|\$accumulator"
diff --git a/frontend/src/routes/admin/UserList.tsx b/frontend/src/routes/admin/UserList.tsx
index 8f0569e..5e3c648 100644
--- a/frontend/src/routes/admin/UserList.tsx
+++ b/frontend/src/routes/admin/UserList.tsx
@@ -377,7 +377,7 @@ function CreateUserModal({ onClose, onSuccess }: { onClose: () => void; onSucces
     email: '',
     password: '',
     full_name: '',
-    role: 'client' as UserRole,
+    role: 'admin' as UserRole,
   });
   const createUserMutation = useCreateUser();
   const toast = useToastContext();