diff --git a/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php b/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php
index f1195dedb2698e742e773bc32abcae6a365c72f5..504fc597286180e892b1058af8fc035e463e6792 100644
--- a/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php
+++ b/core/modules/rest/lib/Drupal/rest/Plugin/rest/resource/EntityResource.php
@@ -71,7 +71,11 @@ public function get($id) {
    *
    * @throws \Symfony\Component\HttpKernel\Exception\HttpException
    */
-  public function post($id, EntityInterface $entity) {
+  public function post($id, EntityInterface $entity = NULL) {
+    if ($entity == NULL) {
+      throw new BadRequestHttpException(t('No entity content received.'));
+    }
+
     if (!$entity->access('create')) {
       throw new AccessDeniedHttpException();
     }
@@ -117,7 +121,11 @@ public function post($id, EntityInterface $entity) {
    *
    * @throws \Symfony\Component\HttpKernel\Exception\HttpException
    */
-  public function patch($id, EntityInterface $entity) {
+  public function patch($id, EntityInterface $entity = NULL) {
+    if ($entity == NULL) {
+      throw new BadRequestHttpException(t('No entity content received.'));
+    }
+
     if (empty($id)) {
       throw new NotFoundHttpException();
     }
diff --git a/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php b/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php
index 42c29500313959594e317bab40203f815bbc5c25..4ccc0b6bb08d0f7d1b1f0956dc1b9ec6dd84cad5 100644
--- a/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php
+++ b/core/modules/rest/lib/Drupal/rest/Tests/CreateTest.php
@@ -88,6 +88,10 @@ public function testCreate() {
     $this->httpRequest('entity/' . $entity_type, 'POST', 'kaboom!', $this->defaultMimeType);
     $this->assertResponse(400);
 
+    // Try to send no data at all, which does not make sense on POST requests.
+    $this->httpRequest('entity/' . $entity_type, 'POST', NULL, $this->defaultMimeType);
+    $this->assertResponse(400);
+
     // Try to create an entity without the CSRF token.
     $this->curlExec(array(
       CURLOPT_HTTPGET => FALSE,
diff --git a/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php b/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php
index 25d56c92d7a82e21592d3fe65b07b1ca5fb48640..eca41bc604537300b022b5f29b761c324871f3ba 100644
--- a/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php
+++ b/core/modules/rest/lib/Drupal/rest/Tests/UpdateTest.php
@@ -104,6 +104,10 @@ public function testPatchUpdate() {
     $entity->field_test_text->value = $this->randomString();
     $entity->save();
 
+    // Try to send no data at all, which does not make sense on PATCH requests.
+    $this->httpRequest('entity/' . $entity_type . '/' . $entity->id(), 'PATCH', NULL, $this->defaultMimeType);
+    $this->assertResponse(400);
+
     // Try to update a non-existing entity with ID 9999.
     $this->httpRequest('entity/' . $entity_type . '/9999', 'PATCH', $serialized, $this->defaultMimeType);
     $this->assertResponse(404);