core/modules/rest/src/Plugin/rest/resource/EntityResource.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
index fbec455..da2cefb 100644
--- a/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/src/Plugin/rest/resource/EntityResource.php
@@ -241,6 +241,12 @@ public function patch(EntityInterface $original_entity, EntityInterface $entity
         continue;
       }
 
+      // If the user has access to view the field, we need to check update
+      // access regardless of the field value to avoid information disclosure.
+      // (Otherwise the user may try PATCHing with value after value, until they
+      // send the current value for the field, and then they won't get a 403
+      // response anymore, which indicates that the value they sent in the PATCH
+      // request body matches the current value.)
       if ($original_field->access('edit')) {
         $original_entity->set($field_name, $field->getValue());
       }