A missing access right has been found by Cédric Krier for the Model 'product.product-production.bom'. That allows a malicious authenticated user to write, create or delete records of this type (see issue5570).
Any authenticated user can modify the links between products and BoM's.
All users should create manually a default model access which limits to read only and a second model access limited to the group "Production Administration" with full access.
Affected versions: all versions of production module prior to series 4.0 included.
Non affected version: all versions of production module after series 4.0 non-included.
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.