.../lib/Drupal/Core/Entity/EntityAccessControlHandler.php | 15 +++++++++++----
 .../src/Tests/Entity/EntityAccessControlHandlerTest.php   |  4 ++--
 .../system/tests/modules/entity_test/entity_test.module   |  2 +-
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
index cdbc24b..0994cba 100644
--- a/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
+++ b/core/lib/Drupal/Core/Entity/EntityAccessControlHandler.php
@@ -77,8 +77,11 @@ public function access(EntityInterface $entity, $operation, $langcode = Language
 
     $return = $this->processAccessHookResults($access);
 
-    // Also execute the default access check.
-    $return = $return->orIf($this->checkAccess($entity, $operation, $langcode, $account));
+    // Also execute the default access check except when the access result is
+    // already forbidden, as in that case, it can not be anything else.
+    if (!$return->isForbidden()) {
+      $return = $return->orIf($this->checkAccess($entity, $operation, $langcode, $account));
+    }
     $result = $this->setCache($return, $entity->uuid(), $operation, $langcode, $account);
     return $return_as_object ? $result : $result->isAllowed();
   }
@@ -229,8 +232,12 @@ public function createAccess($entity_bundle = NULL, AccountInterface $account =
     );
 
     $return = $this->processAccessHookResults($access);
-    // Also execute the default access check.
-    $return = $return->orIf($this->checkCreateAccess($account, $context, $entity_bundle));
+
+    // Also execute the default access check except when the access result is
+    // already forbidden, as in that case, it can not be anything else.
+    if (!$return->isForbidden()) {
+      $return = $return->orIf($this->checkCreateAccess($account, $context, $entity_bundle));
+    }
     $result = $this->setCache($return, $cid, 'create', $context['langcode'], $account);
     return $return_as_object ? $result : $result->isAllowed();
   }
diff --git a/core/modules/system/src/Tests/Entity/EntityAccessControlHandlerTest.php b/core/modules/system/src/Tests/Entity/EntityAccessControlHandlerTest.php
index eb2b34a..fc12b89 100644
--- a/core/modules/system/src/Tests/Entity/EntityAccessControlHandlerTest.php
+++ b/core/modules/system/src/Tests/Entity/EntityAccessControlHandlerTest.php
@@ -70,8 +70,8 @@ function testEntityAccess() {
    * Ensures default entity access is always checked.
    *
    * This ensures that the default checkAccess() implementation of the
-   * entity access control handler is always considered and can forbid access
-   *
+   * entity access control handler is always considered and can forbid access,
+   * even after access was already explicitly allowed by hook_entity_access().
    *
    * @see \Drupal\entity_test\EntityTestAccessControlHandler::checkAccess()
    * @see entity_test_entity_access()
diff --git a/core/modules/system/tests/modules/entity_test/entity_test.module b/core/modules/system/tests/modules/entity_test/entity_test.module
index 7604a33..08fa564 100644
--- a/core/modules/system/tests/modules/entity_test/entity_test.module
+++ b/core/modules/system/tests/modules/entity_test/entity_test.module
@@ -499,7 +499,7 @@ function entity_test_entity_access(EntityInterface $entity, $operation, AccountI
 
   // Attempt to allow access to entities with the title forbid_access,
   // this will be overridden by
-  // Drupal\entity_test\EntityTestAccessControlHandler::checkAccess().
+  // \Drupal\entity_test\EntityTestAccessControlHandler::checkAccess().
   if ($entity->label() == 'forbid_access') {
     return AccessResult::allowed();
   }