Drupal 8 before before 8.3.1 allows critical access bypass by authenticated users if the RESTful Web Services (rest) module is enabled and the site allows PATCH requests.
Created drupal8 tracking bugs for this issue:
Affects: fedora-all [bug 1443832]
All dependent tickets have been closed.
(In reply to Shawn Iwinski from comment #2)
> All dependent tickets have been closed.
Thanks, closing this bug as well.