diff --git a/lib/src/isolation.rs b/lib/src/isolation.rs
index 48c6bca7..02c41b57 100644
--- a/lib/src/isolation.rs
+++ b/lib/src/isolation.rs
@@ -31,6 +31,7 @@ pub(crate) fn unprivileged_subprocess(binary: &str, user: &str) -> Command {
     cmd.args([
         "--no-new-privs",
         "--init-groups",
+        "--reset-env",
         "--reuid",
         user,
         "--bounding-set",