diff --git a/pkgs/servers/shellinabox/default.nix b/pkgs/servers/shellinabox/default.nix
index af1992fc8699..fe1837e907a1 100644
--- a/pkgs/servers/shellinabox/default.nix
+++ b/pkgs/servers/shellinabox/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pam, openssl, openssh, shadow, makeWrapper }:
+{ stdenv, fetchFromGitHub, fetchpatch, autoreconfHook, pam, openssl, openssh, shadow, makeWrapper }:
 
 stdenv.mkDerivation rec {
   version = "2.20";
@@ -11,10 +11,17 @@ stdenv.mkDerivation rec {
     sha256 = "1hmfayh21cks2lyj572944ll0mmgsxbnj981b3hq3nhdg8ywzjfr";
   };
 
-  patches = [ ./shellinabox-minus.patch ];
+  patches = [
+    ./shellinabox-minus.patch
+    (fetchpatch {
+      name = "CVE-2018-16789.patch";
+      url = "https://github.com/shellinabox/shellinabox/commit/4f0ecc31ac6f985e0dd3f5a52cbfc0e9251f6361.patch";
+      sha256 = "1mpm6acxdb0fms9pa2b88fx6hp07ph87ahxi82yyqj2m7p79jx7a";
+    })
+  ];
 
-  nativeBuildInputs = [ autoreconfHook ];
-  buildInputs = [ pam openssl openssh makeWrapper ];
+  nativeBuildInputs = [ autoreconfHook makeWrapper ];
+  buildInputs = [ pam openssl openssh ];
 
   # Disable GSSAPIAuthentication errors. Also, paths in certain source files are
   # hardcoded. Replace the hardcoded paths with correct paths.