diff --git a/CHANGES.rst b/CHANGES.rst
index d61906f..049fc0d 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -6,6 +6,9 @@ For changes before version 3.0, see ``HISTORY.rst``.
 7.2 (unreleased)
 ----------------
 
+- Prevent untrusted access to ``AccessControl.userfolder.UserFolder.data``
+  (fixes `GHSA-g5vw-3h65-2q3v <https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v>`_).
+
 
 7.1 (2024-10-10)
 ----------------
diff --git a/src/AccessControl/userfolder.py b/src/AccessControl/userfolder.py
index 8405ef5..e8d4450 100644
--- a/src/AccessControl/userfolder.py
+++ b/src/AccessControl/userfolder.py
@@ -376,6 +376,7 @@ class UserFolder(BasicUserFolder):
     zmi_show_add_dialog = False
     id = 'acl_users'
     title = 'User Folder'
+    data__roles__ = ()  # prevent untrusted access to ``data``.
 
     def __init__(self):
         self.data = PersistentMapping()