diff --git a/openssh-8.7p1-authorized-keys-principles-option.patch b/openssh-8.7p1-authorized-keys-principles-option.patch
new file mode 100644
index 0000000..3c547c3
--- /dev/null
+++ b/openssh-8.7p1-authorized-keys-principles-option.patch
@@ -0,0 +1,37 @@
+diff --color -ruNp a/auth2-pubkey.c b/auth2-pubkey.c
+--- a/auth2-pubkey.c	2026-04-13 15:13:58.759515611 +0200
++++ b/auth2-pubkey.c	2026-04-13 15:20:28.131029727 +0200
+@@ -329,20 +329,23 @@ user_key_verify(struct ssh *ssh, const s
+ static int
+ match_principals_option(const char *principal_list, struct sshkey_cert *cert)
+ {
+-	char *result;
++	char *list, *olist, *entry;
+ 	u_int i;
+ 
+-	/* XXX percent_expand() sequences for authorized_principals? */
+-
+-	for (i = 0; i < cert->nprincipals; i++) {
+-		if ((result = match_list(cert->principals[i],
+-		    principal_list, NULL)) != NULL) {
+-			debug3("matched principal from key options \"%.100s\"",
+-			    result);
+-			free(result);
+-			return 1;
++	olist = list = xstrdup(principal_list);
++	for (;;) {
++		if ((entry = strsep(&list, ",")) == NULL || *entry == '\0')
++			break;
++		for (i = 0; i < cert->nprincipals; i++) {
++			if (strcmp(entry, cert->principals[i]) == 0) {
++				debug3("matched principal from key i"
++				    "options \"%.100s\"", entry);
++				free(olist);
++				return 1;
++			}
+ 		}
+ 	}
++	free(olist);
+ 	return 0;
+ }
+ 
diff --git a/openssh.spec b/openssh.spec
index 00f8d2d..9b28f3c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -306,6 +306,8 @@ Patch1025: openssh-9.9p1-scp-clear-setuid.patch
 Patch1026: openssh-8.0p1-mux-askpass-check.patch
 # upstream fd1c7e131f331942d20f42f31e79912d570081fa
 Patch1027: openssh-8.0p1-ecdsa-incomplete-application.patch
+# upstream fd1c7e131f331942d20f42f31e79912d570081fa
+Patch1028: openssh-8.7p1-authorized-keys-principles-option.patch
 
 License: BSD
 Group: Applications/Internet
@@ -560,6 +562,7 @@ popd
 %patch1025 -p1 -b .scp-clear-setuid
 %patch1026 -p1 -b .mux-askpass-check
 %patch1027 -p1 -b .ecdsa-incomplete-application
+%patch1028 -p1 -b .authorized-keys-principles-option
 
 autoreconf
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -855,6 +858,8 @@ getent passwd sshd >/dev/null || \
 - CVE-2026-35387: Fix incomplete application of PubkeyAcceptedAlgorithms
   and HostbasedAcceptedAlgorithms with regard to ECDSA keys
   Resolves: RHEL-166224
+- CVE-2026-35414: Fix mishandling of authorized_keys principals option
+  Resolves: RHEL-166192
 
 * Mon Mar 16 2026 Zoltan Fridrich <zfridric@redhat.com> - 8.0p1-28
 - CVE-2026-3497: Fix information disclosure or denial of service due