diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 70a0c1a52..ad2fa2f61 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -350,6 +350,18 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
     time_t now;
     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
 
+    /* The user may only specify a host for "sudo -l". */
+    if (!ISSET(ctx->mode, MODE_LIST|MODE_CHECK)) {
+	if (strcmp(ctx->runas.host, ctx->user.host) != 0) {
+	    log_warningx(ctx, SLOG_NO_STDERR|SLOG_AUDIT,
+		N_("user not allowed to set remote host for command"));
+	    sudo_warnx("%s",
+		U_("a remote host may only be specified when listing privileges."));
+	    ret = false;
+	    goto done;
+	}
+    }
+
     /* If given the -P option, set the "preserve_groups" flag. */
     if (ISSET(ctx->mode, MODE_PRESERVE_GROUPS))
 	def_preserve_groups = true;