diff --git a/packages/core/src/services/environmentSanitization.test.ts b/packages/core/src/services/environmentSanitization.test.ts
index da0d14e5dd..dcf665f88e 100644
--- a/packages/core/src/services/environmentSanitization.test.ts
+++ b/packages/core/src/services/environmentSanitization.test.ts
@@ -370,7 +370,7 @@ describe('getSecureSanitizationConfig', () => {
     );
   });
 
-  it('should not filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
+  it('should filter out variables from allowed list that match NEVER_ALLOWED_NAME_PATTERNS', () => {
     const requestedConfig = {
       allowedEnvironmentVariables: ['SAFE_VAR', 'MY_SECRET_TOKEN'],
     };
@@ -378,7 +378,7 @@ describe('getSecureSanitizationConfig', () => {
     const config = getSecureSanitizationConfig(requestedConfig);
 
     expect(config.allowedEnvironmentVariables).toContain('SAFE_VAR');
-    expect(config.allowedEnvironmentVariables).toContain('MY_SECRET_TOKEN');
+    expect(config.allowedEnvironmentVariables).not.toContain('MY_SECRET_TOKEN');
   });
 
   it('should deduplicate variables in allowed and blocked lists', () => {
diff --git a/packages/core/src/services/environmentSanitization.ts b/packages/core/src/services/environmentSanitization.ts
index 0bd8bdbfa3..1889e2b2cf 100644
--- a/packages/core/src/services/environmentSanitization.ts
+++ b/packages/core/src/services/environmentSanitization.ts
@@ -213,6 +213,12 @@ export function getSecureSanitizationConfig(
     if (NEVER_ALLOWED_ENVIRONMENT_VARIABLES.has(upperKey)) {
       return false;
     }
+    // Never allow variables that match sensitive name patterns
+    for (const pattern of NEVER_ALLOWED_NAME_PATTERNS) {
+      if (pattern.test(upperKey)) {
+        return false;
+      }
+    }
     return true;
   });