core/modules/rest/src/Plugin/rest/resource/EntityResource.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index 3d3072d..c82637e 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -13,6 +13,7 @@
 use Drupal\Core\Entity\EntityStorageException;
 use Drupal\rest\Plugin\ResourceBase;
 use Drupal\rest\ResourceResponse;
+use Drupal\user\UserInterface;
 use Psr\Log\LoggerInterface;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Drupal\rest\ModifiedResourceResponse;
@@ -230,6 +231,15 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity
       $field = $entity->get($field_name);
       $original_field = $original_entity->get($field_name);
 
+      // The User entity type's 'pass' field is a very special case: even though
+      // it is not allowed to be viewed nor edited, to be able to modify
+      // security-sensitive fields, the password must be specified.
+      // @see \Drupal\Tests\rest\Functional\EntityResource\User\UserResourceTestBase::testPatchDxForSecuritySensitiveBaseFields()
+      if ($original_entity instanceof UserInterface && $field_name === 'pass') {
+        $original_entity->set('pass', $field->getValue());
+        continue;
+      }
+
       // If the user has access to view the field, we need to check update
       // access regardless of the field value to avoid information disclosure.
       // (Otherwise the user may try PATCHing with value after value, until they