diff --git a/openssh-9.9p1-sshd-no-delegate-credentials.patch b/openssh-9.9p1-sshd-no-delegate-credentials.patch
new file mode 100644
index 0000000..2b70103
--- /dev/null
+++ b/openssh-9.9p1-sshd-no-delegate-credentials.patch
@@ -0,0 +1,122 @@
+diff --git a/gss-serv.c b/gss-serv.c
+index 5c0491cf1..e2c501d0c 100644
+--- a/gss-serv.c
++++ b/gss-serv.c
+@@ -509,6 +509,11 @@ ssh_gssapi_cleanup_creds(void)
+ int
+ ssh_gssapi_storecreds(void)
+ {
++	if (options.gss_deleg_creds == 0) {
++		debug_f("delegate credential is disabled, doing nothing");
++		return 0;
++	}
++
+ 	if (gssapi_client.mech && gssapi_client.mech->storecreds) {
+ 		return (*gssapi_client.mech->storecreds)(&gssapi_client);
+ 	} else
+diff --git a/servconf.c b/servconf.c
+index aab653244..02a9888c9 100644
+--- a/servconf.c
++++ b/servconf.c
+@@ -144,6 +144,7 @@ initialize_server_options(ServerOptions *options)
+ 	options->gss_authentication=-1;
+ 	options->gss_keyex = -1;
+ 	options->gss_cleanup_creds = -1;
++	options->gss_deleg_creds = -1;
+ 	options->gss_strict_acceptor = -1;
+ 	options->gss_store_rekey = -1;
+ 	options->gss_kex_algorithms = NULL;
+@@ -403,6 +404,8 @@ fill_default_server_options(ServerOptions *options)
+ 		options->gss_keyex = 0;
+ 	if (options->gss_cleanup_creds == -1)
+ 		options->gss_cleanup_creds = 1;
++	if (options->gss_deleg_creds == -1)
++		options->gss_deleg_creds = 1;
+ 	if (options->gss_strict_acceptor == -1)
+ 		options->gss_strict_acceptor = 1;
+ 	if (options->gss_store_rekey == -1)
+@@ -598,7 +601,8 @@ typedef enum {
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
+ 	sPerSourcePenalties, sPerSourcePenaltyExemptList,
+ 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
+-	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
++	sGssAuthentication, sGssCleanupCreds, sGssDelegateCreds,
++	sGssEnablek5users, sGssStrictAcceptor,
+ 	sGssKeyEx, sGssIndicators, sGssKexAlgorithms, sGssStoreRekey,
+ 	sAcceptEnv, sSetEnv, sPermitTunnel,
+ 	sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
+@@ -690,6 +694,7 @@ static struct {
+ 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
+ 	{ "gssapicleanupcreds", sGssCleanupCreds, SSHCFG_GLOBAL },
++	{ "gssapidelegatecredentials", sGssDelegateCreds, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sGssKeyEx, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sGssStoreRekey, SSHCFG_GLOBAL },
+@@ -700,6 +705,7 @@ static struct {
+ 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapicleanupcreds", sUnsupported, SSHCFG_GLOBAL },
++	{ "gssapidelegatecredentials", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapikeyexchange", sUnsupported, SSHCFG_GLOBAL },
+ 	{ "gssapistorecredentialsonrekey", sUnsupported, SSHCFG_GLOBAL },
+@@ -1713,6 +1719,10 @@ process_server_config_line_depth(ServerOptions *options, char *line,
+ 		intptr = &options->gss_cleanup_creds;
+ 		goto parse_flag;
+ 
++	case sGssDelegateCreds:
++		intptr = &options->gss_deleg_creds;
++		goto parse_flag;
++
+ 	case sGssStrictAcceptor:
+ 		intptr = &options->gss_strict_acceptor;
+ 		goto parse_flag;
+@@ -3359,6 +3369,7 @@ dump_config(ServerOptions *o)
+ #ifdef GSSAPI
+ 	dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
+ 	dump_cfg_fmtint(sGssCleanupCreds, o->gss_cleanup_creds);
++	dump_cfg_fmtint(sGssDelegateCreds, o->gss_deleg_creds);
+ 	dump_cfg_fmtint(sGssKeyEx, o->gss_keyex);
+ 	dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
+ 	dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
+diff --git a/servconf.h b/servconf.h
+index 7c41df417..6bfdf6305 100644
+--- a/servconf.h
++++ b/servconf.h
+@@ -158,6 +158,7 @@ typedef struct {
+ 	int     gss_authentication;	/* If true, permit GSSAPI authentication */
+ 	int     gss_keyex;		/* If true, permit GSSAPI key exchange */
+ 	int     gss_cleanup_creds;	/* If true, destroy cred cache on logout */
++	int     gss_deleg_creds;	/* If true, accept delegated GSS credentials */
+ 	int     gss_strict_acceptor;	/* If true, restrict the GSSAPI acceptor name */
+ 	int 	gss_store_rekey;
+ 	char   *gss_kex_algorithms;	/* GSSAPI kex methods to be offered by client. */
+diff --git a/sshd_config.0 b/sshd_config.0
+index 49349bb30..e798f4df5 100644
+--- a/sshd_config.0
++++ b/sshd_config.0
+@@ -453,6 +453,9 @@ DESCRIPTION
+              Specifies whether to automatically destroy the user's credentials
+              cache on logout.  The default is yes.
+ 
++     GSSAPIDelegateCredentials
++             Accept delegated credentials on the server side.  The default is yes.
++
+      GSSAPIStrictAcceptorCheck
+              Determines whether to be strict about the identity of the GSSAPI
+              acceptor a client authenticates against.  If set to yes then the
+diff --git a/sshd_config.5 b/sshd_config.5
+index 90ab87edd..8c677bfd0 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -733,6 +733,9 @@ Specifies whether to automatically destroy the user's credentials cache
+ on logout.
+ The default is
+ .Cm yes .
++.It Cm GSSAPIDelegateCredentials
++Accept delegated credentials on the server side.  The default is
++.CM yes .
+ .It Cm GSSAPIEnablek5users
+ Specifies whether to look at .k5users file for GSSAPI authentication
+ access control. Further details are described in
diff --git a/openssh.spec b/openssh.spec
index ef4a027..cf04ed0 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -43,7 +43,7 @@
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: 17%{?dist}.alma.1
+Release: 18%{?dist}.alma.1
 URL: http://www.openssh.com/portable.html
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
@@ -225,6 +225,7 @@ Patch1031: openssh-10.0-mlkem-nist.patch
 Patch1032: openssh-9.9p1-reject-cntrl-chars-in-username.patch
 # upstream 43b3bff47bb029f2299bacb6a36057981b39fdb0
 Patch1033: openssh-9.9p1-reject-null-char-in-url-string.patch
+Patch1034: openssh-9.9p1-sshd-no-delegate-credentials.patch
 
 License: BSD-3-Clause AND BSD-2-Clause AND ISC AND SSH-OpenSSH AND ssh-keyscan AND sprintf AND LicenseRef-Fedora-Public-Domain AND X11-distribute-modifications-variant
 Requires: /sbin/nologin
@@ -423,6 +424,7 @@ gpgv2 --quiet --keyring %{SOURCE3} %{SOURCE1} %{SOURCE0}
 %patch -P 1031 -p1 -b .mlkem-nist
 %patch -P 1032 -p1 -b .reject-cntrl-chars-in-username
 %patch -P 1033 -p1 -b .reject-null-char-in-url-string
+%patch -P 1034 -p1 -b .sshd-nogsscreds
 
 %patch -P 100 -p1 -b .coverity
 
@@ -703,9 +705,13 @@ test -f %{sysconfig_anaconda} && \
 %attr(0755,root,root) %{_libdir}/sshtest/sk-dummy.so
 
 %changelog
-* Sat Dec 06 2025 Koichiro Iwao <meta@almalinux.org> - 9.9p1-17.alma.1
+* Wed Dec 10 2025 Koichiro Iwao <meta@almalinux.org> - 9.9p1-18.alma.1
 - Unpatch Red Hat help message
 
+* Fri Dec 05 2025 Dmitry Belyavskiy <dbelyavs@redhat.com> - 9.9p1-18
+- Adding a mechanism to disable GSSAPIDelegateCredentials in sshd_config
+  Resolves: RHEL-5281
+
 * Fri Dec 05 2025 Zoltan Fridrich <zfridric@redhat.com> - 9.9p1-17
 - CVE-2025-61984: Reject usernames with control characters
   Resolves: RHEL-128399