See Admin tools with Editor
I am not sure if this is intended, but it feels wrong.
You can create a new editor without any permissions. Just enter username and password and when you login as this editor you see the admin tools in the menu.
You can not do something, but seeing the menu feels also wrong.
In older TYPO3 versions this was not possible.
Updated by Georg Ringer over 4 years ago
How to reproduce:
1) Use the backend to create an editor
2) use the user module to switch to that user
The problem is in BackendUserAuthentication where
$this->getRealUserId() is compared with the maintainer idlist. This will return true when switched to a non admin who should still not see the admin module.