diff -r 7b1b88e27a20 -r 48c4eec2b7e6 wp/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
--- a/wp/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php	Thu Sep 29 08:06:27 2022 +0200
+++ b/wp/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php	Fri Sep 05 18:40:08 2025 +0200
@@ -610,6 +610,8 @@
 			return $user;
 		}
 
+		$fields = $this->get_fields_for_response( $request );
+
 		$prepared = array(
 			'uuid'      => $item['uuid'],
 			'app_id'    => empty( $item['app_id'] ) ? '' : $item['app_id'],
@@ -627,7 +629,10 @@
 		$prepared = $this->filter_response_by_context( $prepared, $request['context'] );
 
 		$response = new WP_REST_Response( $prepared );
-		$response->add_links( $this->prepare_links( $user, $item ) );
+
+		if ( rest_is_field_included( '_links', $fields ) || rest_is_field_included( '_embedded', $fields ) ) {
+			$response->add_links( $this->prepare_links( $user, $item ) );
+		}
 
 		/**
 		 * Filters the REST API response for an application password.
@@ -653,7 +658,14 @@
 	protected function prepare_links( WP_User $user, $item ) {
 		return array(
 			'self' => array(
-				'href' => rest_url( sprintf( '%s/users/%d/application-passwords/%s', $this->namespace, $user->ID, $item['uuid'] ) ),
+				'href' => rest_url(
+					sprintf(
+						'%s/users/%d/application-passwords/%s',
+						$this->namespace,
+						$user->ID,
+						$item['uuid']
+					)
+				),
 			),
 		);
 	}
@@ -707,7 +719,7 @@
 			return $error;
 		}
 
-		if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
+		if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && ! is_user_member_of_blog( $user->ID ) ) {
 			return $error;
 		}