A critical access bypass was reported for drupal versions <8.2.8 and <8.3.1, as per drupal advisory: DRUPAL-SA-CORE-2017-002. Drupal 7 is *not* affected.
From the advisory:
This is a critical access bypass vulnerability. A site is only affected by this if all of the following conditions are met:
The site has the RESTful Web Services (rest) module enabled.
The site allows PATCH requests.
An attacker can get or register a user account on the site.
Fixed versions are already in the tree and the affected versions were dropped.
Repository is clean, no stable package was affected. All done!
Maintainer(s), thank you for your work.