diff --git a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
index c3bd54be5762a01a828fef69b0c3f44dd26d4f5a..0c869cd8351c6f538805cebefc0c18a1647b89ab 100644
--- a/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
+++ b/typo3/sysext/core/Classes/Authentication/BackendUserAuthentication.php
@@ -1255,10 +1255,9 @@ class BackendUserAuthentication extends AbstractUserAuthentication
     /**
      * Returns an array with the webmounts.
      * If no webmounts, and empty array is returned.
-     * NOTICE: Deleted pages WILL NOT be filtered out! So if a mounted page has been deleted
-     *         it is STILL coming out as a webmount. This is not checked due to performance.
+     * Webmounts permissions are checked in fetchGroupData()
      *
-     * @return array
+     * @return array of web mounts uids (may include '0')
      */
     public function returnWebmounts()
     {
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
index 01d6091768d15c4ab8e8a8ead6b42f9c5014de7d..b629b25e694aa75f26befdbeb0a72137742547a3 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
+++ b/typo3/sysext/core/Tests/Functional/Authentication/BackendUserAuthenticationTest.php
@@ -91,4 +91,18 @@ class BackendUserAuthenticationTest extends FunctionalTestCase
         self::assertEquals('13', $result['custom.']['groupProperty']);
         self::assertEquals('installation-wide-configuration', $result['custom.']['generic']);
     }
+
+    /**
+     * @test
+     */
+    public function returnWebmountsFilterOutInaccessiblePages(): void
+    {
+        $result = $this->subject->returnWebmounts();
+
+        self::assertNotContains('3', $result, 'Deleted page is not filtered out');
+        self::assertNotContains('4', $result, 'Page user has no permission to read is not filtered out');
+        self::assertNotContains('5', $result, 'Not existing page is not filtered out');
+        self::assertContains('40', $result, 'Accessible db mount page, child of a not accessible page is not shown');
+        self::assertEquals(['1', '40'], $result);
+    }
 }
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
index 1e727dc0051adfb612b207a8e23ffcbbb4b47e30..0f7b40b623ab9c1f6e7ed860c55ea3fb432120dd 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
+++ b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/be_groups.xml
@@ -6,7 +6,7 @@
         <title>editor group</title>
         <lockToDomain></lockToDomain>
         <workspace_perms>0</workspace_perms>
-        <db_mountpoints>1</db_mountpoints>
+        <db_mountpoints>1,3,4,5,40</db_mountpoints>
         <tstamp>1544454571</tstamp>
         <crdate>1542360853</crdate>
         <deleted>0</deleted>
diff --git a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml
index d8094f17932629066a3ae3a372a9d8ad93babbd3..2e2694a570656a7b385d80e3ee70f7ccc3ef0ddc 100644
--- a/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml
+++ b/typo3/sysext/core/Tests/Functional/Authentication/Fixtures/pages.xml
@@ -26,4 +26,46 @@
         <perms_everybody>0</perms_everybody>
         <is_siteroot>1</is_siteroot>
     </pages>
+    <pages>
+        <pid>0</pid>
+        <uid>3</uid>
+        <deleted>1</deleted>
+        <sys_language_uid>0</sys_language_uid>
+        <l10n_parent>0</l10n_parent>
+        <title>Deleted page</title>
+        <perms_userid>1</perms_userid>
+        <perms_groupid>1</perms_groupid>
+        <perms_user>31</perms_user>
+        <perms_group>27</perms_group>
+        <perms_everybody>0</perms_everybody>
+        <is_siteroot>1</is_siteroot>
+    </pages>
+    <pages>
+        <pid>0</pid>
+        <uid>4</uid>
+        <deleted>0</deleted>
+        <sys_language_uid>0</sys_language_uid>
+        <l10n_parent>0</l10n_parent>
+        <title>Another page</title>
+        <perms_userid>1</perms_userid>
+        <perms_groupid>2</perms_groupid>
+        <perms_user>31</perms_user>
+        <perms_group>27</perms_group>
+        <perms_everybody>0</perms_everybody>
+        <is_siteroot>1</is_siteroot>
+    </pages>
+    <pages>
+        <pid>4</pid>
+        <uid>40</uid>
+        <deleted>0</deleted>
+        <sys_language_uid>0</sys_language_uid>
+        <l10n_parent>0</l10n_parent>
+        <title>Another page subpage</title>
+        <perms_userid>1</perms_userid>
+        <perms_groupid>1</perms_groupid>
+        <perms_user>31</perms_user>
+        <perms_group>27</perms_group>
+        <perms_everybody>0</perms_everybody>
+        <is_siteroot>0</is_siteroot>
+    </pages>
 </dataset>