.../EntityResource/User/UserResourceTestBase.php    |  9 +++++++++
 .../user_access_test/user_access_test.module        | 21 +++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php b/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php
index d25bf2f..80b5db5 100644
--- a/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php
+++ b/core/modules/rest/tests/src/Functional/EntityResource/User/UserResourceTestBase.php
@@ -223,6 +223,15 @@ public function testPatchDxForSecuritySensitiveBaseFields() {
   }
 
   /**
+   * Tests PATCHing security-sensitive base fields of the logged in account.
+   */
+  public function testPatchDxForSecuritySensitiveBaseFieldsWhenPasswordFieldEditingIsNotAllowed() {
+    \Drupal::service('module_installer')->install(['user_access_test']);
+
+    return $this->testPatchDxForSecuritySensitiveBaseFields();
+  }
+
+  /**
    * Verifies that logging in with the given username and password works.
    *
    * @param string $username
diff --git a/core/modules/user/tests/modules/user_access_test/user_access_test.module b/core/modules/user/tests/modules/user_access_test/user_access_test.module
index 470a76a..cee39dc 100644
--- a/core/modules/user/tests/modules/user_access_test/user_access_test.module
+++ b/core/modules/user/tests/modules/user_access_test/user_access_test.module
@@ -6,6 +6,9 @@
  */
 
 use Drupal\Core\Access\AccessResult;
+use Drupal\Core\Field\FieldDefinitionInterface;
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Field\FieldItemListInterface;
 use Drupal\user\Entity\User;
 
 /**
@@ -22,3 +25,21 @@ function user_access_test_user_access(User $entity, $operation, $account) {
   }
   return AccessResult::neutral();
 }
+
+/**
+ * Implements hook_entity_field_access().
+ *
+ * @see \Drupal\Tests\rest\Functional\EntityResource\User\UserResourceTestBase::testPatchDxForSecuritySensitiveBaseFieldsWhenPasswordFieldEditingIsNotAllowed()
+ */
+function user_access_test_entity_field_access($operation, FieldDefinitionInterface $field_definition, AccountInterface $account, FieldItemListInterface $items = NULL) {
+  // By default, any user who is allowed to edit the User entity is also allowed
+  // to modify their password. We also want to be able to test custom behavior:
+  // if the editing of the password is forbidden.
+  // @see \Drupal\Tests\user\Unit\UserAccessControlHandlerTest::testPasswordAccess()
+  if ($items && $items->getEntity()->getEntityTypeId() === 'user' && $field_definition->getName() === 'pass' && $operation == 'edit') {
+    return AccessResult::forbidden();
+  }
+
+  // No opinion.
+  return AccessResult::neutral();
+}