diff --git a/UPDATE.md b/UPDATE.md
index 469931e4fa..35163b4a69 100644
--- a/UPDATE.md
+++ b/UPDATE.md
@@ -26,6 +26,10 @@ PR11 to PR12
         <app:engine>twig</app:engine>
         <twig:extension>twig.extension.debug</twig:extension>
 
+* Fixes a critical security issue which allowed all users to switch to 
+  arbitrary accounts when the SwitchUserListener was activated. Configurations
+  which do not use the SwitchUserListener are not affected.
+
 PR10 to PR11
 ------------
 
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
index 5d69aa25d4..0977cb16fe 100644
--- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
@@ -112,7 +113,9 @@ class SwitchUserListener implements ListenerInterface
             throw new \LogicException(sprintf('You are already switched to "%s" user.', $token->getUsername()));
         }
 
-        $this->accessDecisionManager->decide($token, array($this->role));
+        if (false === $this->accessDecisionManager->decide($token, array($this->role))) {
+            throw new AccessDeniedException();
+        }
 
         $username = $request->get($this->usernameParameter);