diff --git a/core/.changelog.d/1018.changed b/core/.changelog.d/1018.changed
new file mode 100644
index 0000000000..018e42bd4c
--- /dev/null
+++ b/core/.changelog.d/1018.changed
@@ -0,0 +1 @@
+Ensure input's script type and path match the scriptPubKey.
diff --git a/core/.changelog.d/1018.incompatible b/core/.changelog.d/1018.incompatible
new file mode 100644
index 0000000000..d0b3118eb0
--- /dev/null
+++ b/core/.changelog.d/1018.incompatible
@@ -0,0 +1 @@
+Trezor will refuse to sign UTXOs that do not match the provided derivation path (e.g., transactions belonging to a different wallet, or synthetic transaction inputs).
diff --git a/core/src/apps/bitcoin/sign_tx/bitcoin.py b/core/src/apps/bitcoin/sign_tx/bitcoin.py
index 97121eada5..1dd68dd7e3 100644
--- a/core/src/apps/bitcoin/sign_tx/bitcoin.py
+++ b/core/src/apps/bitcoin/sign_tx/bitcoin.py
@@ -229,6 +229,9 @@ class Bitcoin:
                 if prev_amount != txi.amount:
                     raise wire.DataError("Invalid amount specified")
 
+                if script_pubkey != self.input_derive_script(txi):
+                    raise wire.DataError("Input does not match scriptPubKey")
+
                 if i in self.external:
                     await self.verify_external_input(i, txi, script_pubkey)