diff --git a/src/core/dhcp/nm-dhcp-dhclient.c b/src/core/dhcp/nm-dhcp-dhclient.c
index 7e00599cd8..92f4209428 100644
--- a/src/core/dhcp/nm-dhcp-dhclient.c
+++ b/src/core/dhcp/nm-dhcp-dhclient.c
@@ -221,6 +221,16 @@ find_existing_config(NMDhcpDhclient *self, int addr_family, const char *iface, c
     return NULL;
 }
 
+static gboolean
+_dhclient_hostname_is_valid(const char *hostname)
+{
+    for (const char *p = hostname; *p; p++) {
+        if (*p == '"' || *p == '\\' || *p < 0x20)
+            return FALSE;
+    }
+    return TRUE;
+}
+
 /* NM provides interface-specific options; thus the same dhclient config
  * file cannot be used since DHCP transactions can happen in parallel.
  * Since some distros don't have default per-interface dhclient config files,
@@ -251,6 +261,12 @@ create_dhclient_config(NMDhcpDhclient     *self,
 
     g_return_val_if_fail(iface != NULL, NULL);
 
+    if (hostname && !_dhclient_hostname_is_valid(hostname)) {
+        _LOGW("hostname '%s' contains unsafe characters for dhclient config, will be ignored",
+              hostname);
+        hostname = NULL;
+    }
+
     new_path = g_strdup_printf(NMSTATEDIR "/dhclient%s-%s.conf",
                                _addr_family_to_path_part(addr_family),
                                iface);