diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 6bada936ba..5d4edb5a18 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Drupal 7.88, 2022-02-15
+-----------------------
+- Fixed security issues:
+   - SA-CORE-2022-003
+
 Drupal 7.87, 2022-01-19
 -----------------------
 - Fix regression caused by jQuery UI position() backport
diff --git a/includes/bootstrap.inc b/includes/bootstrap.inc
index edfe9f39a7..5f6eb882d7 100644
--- a/includes/bootstrap.inc
+++ b/includes/bootstrap.inc
@@ -8,7 +8,7 @@
 /**
  * The current system version.
  */
-define('VERSION', '7.87');
+define('VERSION', '7.88');
 
 /**
  * Core API compatibility.
diff --git a/includes/form.inc b/includes/form.inc
index eb68412fdd..6ada36e458 100644
--- a/includes/form.inc
+++ b/includes/form.inc
@@ -2087,7 +2087,7 @@ function _form_builder_handle_input_element($form_id, &$element, &$form_state) {
   // #access=FALSE on an element usually allow access for some users, so forms
   // submitted with drupal_form_submit() may bypass access restriction and be
   // treated as high-privilege users instead.
-  $process_input = empty($element['#disabled']) && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
+  $process_input = empty($element['#disabled']) && ($element['#type'] !== 'value') && (($form_state['programmed'] && $form_state['programmed_bypass_access_check']) || ($form_state['process_input'] && (!isset($element['#access']) || $element['#access'])));
 
   // Set the element's #value property.
   if (!isset($element['#value']) && !array_key_exists('#value', $element)) {