diff --git a/lib/srv/exec_linux_test.go b/lib/srv/exec_linux_test.go
index debe0e2ab997d..6b4d208bc486b 100644
--- a/lib/srv/exec_linux_test.go
+++ b/lib/srv/exec_linux_test.go
@@ -115,6 +115,23 @@ func TestOSCommandPrep(t *testing.T) {
 	require.Equal(t, expectedEnv, cmd.Env)
 }
 
+func TestConfigureCommand(t *testing.T) {
+	srv := newMockServer(t)
+	scx := newExecServerContext(t, srv)
+
+	unexpectedKey := "FOO"
+	unexpectedValue := "BAR"
+	// environment values in the server context should not be forwarded
+	scx.SetEnv(unexpectedKey, unexpectedValue)
+
+	cmd, err := ConfigureCommand(scx)
+	require.NoError(t, err)
+
+	require.NotNil(t, cmd)
+	require.Equal(t, "/proc/self/exe", cmd.Path)
+	require.NotContains(t, cmd.Env, unexpectedKey+"="+unexpectedValue)
+}
+
 // TestContinue tests if the process hangs if a continue signal is not sent
 // and makes sure the process continues once it has been sent.
 func TestContinue(t *testing.T) {
diff --git a/lib/srv/reexec.go b/lib/srv/reexec.go
index 90e3c22dddf40..82dc678e52963 100644
--- a/lib/srv/reexec.go
+++ b/lib/srv/reexec.go
@@ -961,7 +961,6 @@ func ConfigureCommand(ctx *ServerContext, extraFiles ...*os.File) (*exec.Cmd, er
 
 	// build env for `teleport exec`
 	env := &envutils.SafeEnv{}
-	env.AddFullTrusted(cmdmsg.Environment...)
 	env.AddExecEnvironment()
 
 	// Build the "teleport exec" command.
diff --git a/lib/utils/envutils/environment.go b/lib/utils/envutils/environment.go
index 7eaf8c5f457c9..5c3ad51e359dd 100644
--- a/lib/utils/envutils/environment.go
+++ b/lib/utils/envutils/environment.go
@@ -91,25 +91,13 @@ func ReadEnvironmentFile(filename string) ([]string, error) {
 	return *env, nil
 }
 
-var unsafeEnvironmentVars = map[string]struct{}{
+var unsafeEnvironmentPrefixes = []string{
 	// Linux
-	"LD_ASSUME_KERNEL":         {},
-	"LD_AUDIT":                 {},
-	"LD_BIND_NOW":              {},
-	"LD_BIND_NOT":              {},
-	"LD_DYNAMIC_WEAK":          {},
-	"LD_LIBRARY_PATH":          {},
-	"LD_ORIGIN_PATH":           {},
-	"LD_POINTER_GUARD":         {},
-	"LD_PREFER_MAP_32BIT_EXEC": {},
-	"LD_PRELOAD":               {},
-	"LD_PROFILE":               {},
-	"LD_RUNPATH":               {},
-	"LD_RPATH":                 {},
-	"LD_USE_LOAD_BIAS":         {},
+	// Covering cases from LD (man ld.so) to prevent injection like LD_PRELOAD
+	"LD_",
 	// macOS
-	"DYLD_INSERT_LIBRARIES": {},
-	"DYLD_LIBRARY_PATH":     {},
+	// Covering cases from DYLD (man dyld) to prevent injection like DYLD_LIBRARY_PATH
+	"DYLD_",
 }
 
 // SafeEnv allows you to build a system environment while avoiding potentially dangerous environment conditions.  In
@@ -132,7 +120,7 @@ func (e *SafeEnv) AddUnique(k, v string) {
 func (e *SafeEnv) add(preventDuplicates bool, k, v string) {
 	k = strings.TrimSpace(k)
 	v = strings.TrimSpace(v)
-	if e.unsafeKey(preventDuplicates, k) {
+	if e.isUnsafeKey(preventDuplicates, k) {
 		return
 	}
 
@@ -158,7 +146,7 @@ func (e *SafeEnv) addFull(preventDuplicates bool, fullValues []string) {
 		kv = strings.TrimSpace(kv)
 
 		key := strings.SplitN(kv, "=", 2)[0]
-		if e.unsafeKey(preventDuplicates, key) {
+		if e.isUnsafeKey(preventDuplicates, key) {
 			continue
 		}
 
@@ -166,14 +154,16 @@ func (e *SafeEnv) addFull(preventDuplicates bool, fullValues []string) {
 	}
 }
 
-func (e *SafeEnv) unsafeKey(preventDuplicates bool, key string) bool {
+func (e *SafeEnv) isUnsafeKey(preventDuplicates bool, key string) bool {
 	if key == "" || key == "=" {
 		return false
 	}
 
 	upperKey := strings.ToUpper(key)
-	if _, unsafe := unsafeEnvironmentVars[upperKey]; unsafe {
-		return true
+	for _, prefix := range unsafeEnvironmentPrefixes {
+		if strings.HasPrefix(upperKey, prefix) {
+			return true
+		}
 	}
 
 	if preventDuplicates {