This is a critical Drupal core vulnerability that allows to bypass access control.
A site is only affected by this if all of the following conditions are met:
- The site has the RESTful Web Services (rest) module enabled.
- The site allows PATCH requests.
- An attacker can get or register a user account on the site.
Affected versions: Drupal 8 prior to 8.2.8 and 8.3.1.
- If the site is running Drupal 8.2.7 or earlier, upgrade to 8.2.8.
- If the site is running Drupal 8.3.0, upgrade to 8.3.1.