diff -up ./plugins/sudoers/sudoers.c.cve-host ./plugins/sudoers/sudoers.c
--- ./plugins/sudoers/sudoers.c.cve-host	2025-06-25 14:10:11.369219892 +0200
+++ ./plugins/sudoers/sudoers.c	2025-06-25 14:11:48.395137626 +0200
@@ -393,6 +393,18 @@ sudoers_policy_main(int argc, char * con
 	}
     }
 
+    /* The user may only specify a host for "sudo -l". */
+    if (!ISSET(sudo_mode, MODE_LIST|MODE_CHECK)) {
+       if (strcmp(user_runhost, user_host) != 0) {
+           log_warningx(SLOG_NO_STDERR|SLOG_AUDIT,
+               N_("user not allowed to set remote host for command"));
+           sudo_warnx("%s",
+               U_("a remote host may only be specified when listing privileges."));
+           ret = false;
+           goto done;
+       }
+    }
+
     /* If given the -P option, set the "preserve_groups" flag. */
     if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
 	def_preserve_groups = true;