diff --git a/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch b/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch
new file mode 100644
index 0000000..63b0c74
--- /dev/null
+++ b/SOURCES/admin-Prevent-access-if-any-authentication-agent-isn.patch
@@ -0,0 +1,42 @@
+From d8d0c8c40049cfd824b2b90d0cd47914052b9811 Mon Sep 17 00:00:00 2001
+From: Ondrej Holy <oholy@redhat.com>
+Date: Wed, 2 Jan 2019 17:13:27 +0100
+Subject: [PATCH] admin: Prevent access if any authentication agent isn't
+ available
+
+The backend currently allows to access and modify files without prompting
+for password if any polkit authentication agent isn't available. This seems
+isn't usually problem, because polkit agents are integral parts of
+graphical environments / linux distributions. The agents can't be simply
+disabled without root permissions and are automatically respawned. However,
+this might be a problem in some non-standard cases.
+
+This affects only users which belong to wheel group (i.e. those who are
+already allowed to use sudo). It doesn't allow privilege escalation for
+users, who don't belong to that group.
+
+Let's return permission denied error also when the subject can't be
+authorized by any polkit agent to prevent this behavior.
+
+Closes: https://gitlab.gnome.org/GNOME/gvfs/issues/355
+---
+ daemon/gvfsbackendadmin.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/daemon/gvfsbackendadmin.c b/daemon/gvfsbackendadmin.c
+index ec0f2392..0f849008 100644
+--- a/daemon/gvfsbackendadmin.c
++++ b/daemon/gvfsbackendadmin.c
+@@ -130,8 +130,7 @@ check_permission (GVfsBackendAdmin *self,
+       return FALSE;
+     }
+ 
+-  is_authorized = polkit_authorization_result_get_is_authorized (result) ||
+-    polkit_authorization_result_get_is_challenge (result);
++  is_authorized = polkit_authorization_result_get_is_authorized (result);
+ 
+   g_object_unref (result);
+ 
+-- 
+2.20.1
+
diff --git a/SPECS/gvfs.spec b/SPECS/gvfs.spec
index 4c8e1af..29590ed 100644
--- a/SPECS/gvfs.spec
+++ b/SPECS/gvfs.spec
@@ -24,13 +24,16 @@
 
 Name: gvfs
 Version: 1.36.2
-Release: 1%{?dist}
+Release: 2%{?dist}.1
 Summary: Backends for the gio framework in GLib
 
 License: GPLv3 and LGPLv2+ and BSD and MPLv2.0
 URL: https://wiki.gnome.org/Projects/gvfs
 Source0: https://download.gnome.org/sources/gvfs/1.36/gvfs-%{version}.tar.xz
 
+# https://bugzilla.redhat.com/show_bug.cgi?id=1690470
+Patch0: admin-Prevent-access-if-any-authentication-agent-isn.patch
+
 BuildRequires: pkgconfig
 BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version}
 BuildRequires: pkgconfig(dbus-glib-1)
@@ -213,6 +216,7 @@ the functionality of the installed gvfs package.
 
 %prep
 %setup -q
+%patch0 -p1 -b .admin-Prevent-access-if-any-authentication-agent-isn
 
 autoreconf -fi
 
@@ -405,6 +409,12 @@ killall -USR1 gvfsd >&/dev/null || :
 %{_datadir}/installed-tests
 
 %changelog
+* Mon Apr 01 2019 Ondrej Holy <oholy@redhat.com> - 1.36.2-2.1
+- CVE-2019-3827: Prevent access if any authentication agent isn't available (#1690470)
+
+* Fri Dec 14 2018 Ray Strode <rstrode@redhat.com> - 1.36.2-2
+- rebuild
+
 * Tue Jun 12 2018 Ondrej Holy <oholy@redhat.com> - 1.36.2-1
 - Update to 1.36.2
 - Remove mount-archive.desktop helper