diff --git a/SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch b/SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
new file mode 100644
index 0000000..6632968
--- /dev/null
+++ b/SOURCES/Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
@@ -0,0 +1,60 @@
+From 7b5ed3cffcfe2bc21f3157e883b078983947a113 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Fri, 24 Jul 2020 16:05:24 -0400
+Subject: [PATCH] Fix leak in KERB_AP_OPTIONS_CBT server support
+
+In check_cbt(), use a local variable to hold the retrieved authdata
+list, and free it before returning.
+
+ticket: 8900
+(cherry picked from commit bf2ddff13c178e0c291f8fb382b040080d159e4f)
+(cherry picked from commit 044e2209586fd1935d9a637df76d52f48c4f3e6e)
+---
+ src/lib/gssapi/krb5/accept_sec_context.c | 23 +++++++++++++----------
+ 1 file changed, 13 insertions(+), 10 deletions(-)
+
+diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
+index 175a24c4e..3d5b84b15 100644
+--- a/src/lib/gssapi/krb5/accept_sec_context.c
++++ b/src/lib/gssapi/krb5/accept_sec_context.c
+@@ -433,27 +433,30 @@ static const uint8_t null_cb[CB_MD5_LEN];
+ /* Look for AP_OPTIONS in authdata.  If present and the options include
+  * KERB_AP_OPTIONS_CBT, set *cbt_out to true. */
+ static krb5_error_code
+-check_cbt(krb5_context context, krb5_authdata **authdata,
++check_cbt(krb5_context context, krb5_authdata *const *authdata,
+           krb5_boolean *cbt_out)
+ {
+     krb5_error_code code;
++    krb5_authdata **ad;
+     uint32_t ad_ap_options;
+     const uint32_t KERB_AP_OPTIONS_CBT = 0x4000;
+ 
+     *cbt_out = FALSE;
+ 
+     code = krb5_find_authdata(context, NULL, authdata,
+-                              KRB5_AUTHDATA_AP_OPTIONS, &authdata);
+-    if (code || authdata == NULL)
++                              KRB5_AUTHDATA_AP_OPTIONS, &ad);
++    if (code || ad == NULL)
+         return code;
+-    if (authdata[1] != NULL || authdata[0]->length != 4)
+-        return KRB5KRB_AP_ERR_MSG_TYPE;
++    if (ad[1] != NULL || ad[0]->length != 4) {
++        code = KRB5KRB_AP_ERR_MSG_TYPE;
++    } else {
++        ad_ap_options = load_32_le(ad[0]->contents);
++        if (ad_ap_options & KERB_AP_OPTIONS_CBT)
++            *cbt_out = TRUE;
++    }
+ 
+-    ad_ap_options = load_32_le(authdata[0]->contents);
+-    if (ad_ap_options & KERB_AP_OPTIONS_CBT)
+-        *cbt_out = TRUE;
+-
+-    return 0;
++    krb5_free_authdata(context, ad);
++    return code;
+ }
+ 
+ /*
diff --git a/SPECS/krb5.spec b/SPECS/krb5.spec
index d154ab4..5b9949a 100644
--- a/SPECS/krb5.spec
+++ b/SPECS/krb5.spec
@@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.18.2
 # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
-Release: 4%{?dist}
+Release: 5%{?dist}
 
 # lookaside-cached sources; two downloads and a build artifact
 Source0: https://web.mit.edu/kerberos/dist/krb5/1.17/krb5-%{version}%{prerelease}.tar.gz
@@ -72,6 +72,7 @@ Patch126: Add-client_aware_channel_bindings-option.patch
 Patch127: Pass-channel-bindings-through-SPNEGO.patch
 Patch128: Add-channel-bindings-tests.patch
 Patch129: Ignore-bad-enctypes-in-krb5_string_to_keysalts.patch
+Patch130: Fix-leak-in-KERB_AP_OPTIONS_CBT-server-support.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -682,6 +683,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Tue Aug 04 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-5
+- Fix leak in KERB_AP_OPTIONS_CBT server support
+- Resolves: #1860831
+
 * Tue Jul 28 2020 Robbie Harwood <rharwood@redhat.com> - 1.18.2-4
 - Ignore bad enctypes in krb5_string_to_keysalts()
 - Resolves: #1858322