diff --git a/changelog.html b/changelog.html
index 6cf4643eb761..baecec0ce380 100644
--- a/changelog.html
+++ b/changelog.html
@@ -65,6 +65,9 @@
   <li class="bug">
     Default e-mail suffix should be used to complete the domain name portion of the recipients list.
     (<a href="https://github.com/jenkinsci/jenkins/pull/324">pull #324</a>)
+  <li class="bug">
+    Closure execution after <tt>CLI.upgrade()</tt> should carry over the transport credential.
+    <a href="https://issues.jenkins-ci.org/browse/JENKINS-10890">issue 10890</a>
   <li class="bug">
     Incorrect path delimiter used in ZipArchiver when creating archive on Windows.
     <a href="https://issues.jenkins-ci.org/browse/JENKINS-9942">issue 9942</a>
diff --git a/core/src/main/java/hudson/cli/CliManagerImpl.java b/core/src/main/java/hudson/cli/CliManagerImpl.java
index 7a479a2ed29d..7ff5247e854c 100644
--- a/core/src/main/java/hudson/cli/CliManagerImpl.java
+++ b/core/src/main/java/hudson/cli/CliManagerImpl.java
@@ -23,8 +23,12 @@
  */
 package hudson.cli;
 
+import hudson.remoting.CallableFilter;
 import hudson.remoting.Channel;
 import hudson.remoting.Pipe;
+import org.acegisecurity.Authentication;
+import org.acegisecurity.context.SecurityContext;
+import org.acegisecurity.context.SecurityContextHolder;
 
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -33,6 +37,7 @@
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
+import java.util.concurrent.Callable;
 import java.util.logging.Logger;
 
 /**
@@ -42,9 +47,29 @@
  */
 public class CliManagerImpl implements CliEntryPoint, Serializable {
     private transient final Channel channel;
+    
+    private Authentication transportAuth;
+
+    /**
+     * Runs callable from this CLI client with the transport authentication credential.
+     */
+    private final CallableFilter authenticationFilter = new CallableFilter() {
+        public <V> V call(Callable<V> callable) throws Exception {
+            SecurityContext context = SecurityContextHolder.getContext();
+            Authentication old = context.getAuthentication();
+            if (transportAuth!=null)
+                context.setAuthentication(transportAuth);
+            try {
+                return callable.call();
+            } finally {
+                context.setAuthentication(old);
+            }
+        }
+    };
 
     public CliManagerImpl(Channel channel) {
         this.channel = channel;
+        channel.addLocalExecutionInterceptor(authenticationFilter);
     }
 
     public int main(List<String> args, Locale locale, InputStream stdin, OutputStream stdout, OutputStream stderr) {
@@ -62,7 +87,8 @@ public int main(List<String> args, Locale locale, InputStream stdin, OutputStrea
             cmd.channel = Channel.current();
             final CLICommand old = CLICommand.setCurrent(cmd);
             try {
-                cmd.setTransportAuth(Channel.current().getProperty(CLICommand.TRANSPORT_AUTHENTICATION));
+                transportAuth = Channel.current().getProperty(CLICommand.TRANSPORT_AUTHENTICATION);
+                cmd.setTransportAuth(transportAuth);
                 return cmd.main(args.subList(1,args.size()),locale, stdin, out, err);
             } finally {
                 CLICommand.setCurrent(old);
diff --git a/pom.xml b/pom.xml
index 8576703bd533..1af6a0ee3965 100644
--- a/pom.xml
+++ b/pom.xml
@@ -188,7 +188,7 @@ THE SOFTWARE.
       <dependency>
         <groupId>org.jenkins-ci.main</groupId>
         <artifactId>remoting</artifactId>
-        <version>2.11</version>
+        <version>2.12</version>
       </dependency>
 
       <dependency>