diff --git a/docs/concepts/transports/transports.md b/docs/concepts/transports/transports.md
index d0d885114..6bb362170 100644
--- a/docs/concepts/transports/transports.md
+++ b/docs/concepts/transports/transports.md
@@ -39,11 +39,44 @@ Key <xref:ModelContextProtocol.Client.StdioClientTransportOptions> properties:
 | `Command` | The executable to launch (required) |
 | `Arguments` | Command-line arguments for the process |
 | `WorkingDirectory` | Working directory for the server process |
-| `EnvironmentVariables` | Environment variables (merged with current; `null` values remove variables) |
+| `EnvironmentVariables` | Environment variables (merged with current when inheriting; `null` values remove variables) |
+| `InheritEnvironmentVariables` | Whether the server process inherits the current process's environment variables (default: `true`) |
 | `ShutdownTimeout` | Graceful shutdown timeout (default: 5 seconds) |
 | `StandardErrorLines` | Callback for stderr output from the server process |
 | `Name` | Optional transport identifier for logging |
 
+#### Environment variable inheritance
+
+By default, the server process inherits **all** environment variables from the current process. This includes credentials, tokens, proxy settings, and internal configuration that may be sensitive or irrelevant to the server. When running third-party or untrusted MCP servers, consider disabling inheritance to prevent unintentional credential leakage:
+
+```csharp
+var transport = new StdioClientTransport(new StdioClientTransportOptions
+{
+    Command = "my-mcp-server",
+    InheritEnvironmentVariables = false,
+    EnvironmentVariables = StdioClientTransportOptions.GetDefaultEnvironmentVariables(),
+});
+```
+
+`GetDefaultEnvironmentVariables()` returns a curated set of environment variables (such as `PATH`, `HOME`, and standard system directories) that most child processes need to start correctly, without leaking credentials or other sensitive values from the parent process. The allowlist is aligned with the defaults used by the TypeScript and Python MCP SDKs. You can add server-specific variables on top:
+
+```csharp
+var env = StdioClientTransportOptions.GetDefaultEnvironmentVariables();
+env["MY_SERVER_API_KEY"] = apiKey;
+
+var transport = new StdioClientTransport(new StdioClientTransportOptions
+{
+    Command = "my-mcp-server",
+    InheritEnvironmentVariables = false,
+    EnvironmentVariables = env,
+});
+```
+
+> [!WARNING]
+> **Security risk (inheriting):** Variables such as `AWS_SECRET_ACCESS_KEY`, `GITHUB_TOKEN`, `OPENAI_API_KEY`, and similar credentials present in the parent process automatically flow into the child process unless inheritance is disabled. This can unintentionally expose sensitive values to third-party or untrusted MCP servers.
+>
+> **Compatibility risk (not inheriting):** Disabling inheritance can cause the child process to fail to start or behave incorrectly if it relies on variables provided by the OS or shell. `GetDefaultEnvironmentVariables()` covers the most common requirements — `PATH`, `HOME`, and standard system directories — so for most servers it is a safe starting point. For servers that need additional variables not in the default set (such as `DOTNET_ROOT`, `LD_LIBRARY_PATH`, `JAVA_HOME`, or proxy settings like `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`), add them on top as shown in the example above.
+
 #### stdio server
 
 Use <xref:ModelContextProtocol.Server.StdioServerTransport> for servers that communicate over stdin/stdout:
diff --git a/samples/ChatWithTools/Program.cs b/samples/ChatWithTools/Program.cs
index c5870cdc3..98cf24166 100644
--- a/samples/ChatWithTools/Program.cs
+++ b/samples/ChatWithTools/Program.cs
@@ -39,6 +39,8 @@
         Command = "npx",
         Arguments = ["-y", "--verbose", "@modelcontextprotocol/server-everything"],
         Name = "Everything",
+        InheritEnvironmentVariables = false,
+        EnvironmentVariables = StdioClientTransportOptions.GetDefaultEnvironmentVariables(),
     }),
     clientOptions: new()
     {
@@ -82,4 +84,5 @@
     Console.WriteLine();
 
     messages.AddMessages(updates);
-}
\ No newline at end of file
+}
+
diff --git a/samples/QuickstartClient/Program.cs b/samples/QuickstartClient/Program.cs
index 685d8acff..c5d156126 100644
--- a/samples/QuickstartClient/Program.cs
+++ b/samples/QuickstartClient/Program.cs
@@ -31,6 +31,8 @@
         Name = "Demo Server",
         Command = command,
         Arguments = arguments,
+        InheritEnvironmentVariables = false,
+        EnvironmentVariables = MinimalDotNetEnvironment(),
     });
 }
 await using var mcpClient = await McpClient.CreateAsync(clientTransport!);
@@ -122,3 +124,21 @@ static string GetCurrentSourceDirectory([CallerFilePath] string? currentFile = n
     Debug.Assert(!string.IsNullOrWhiteSpace(currentFile));
     return Path.GetDirectoryName(currentFile) ?? throw new InvalidOperationException("Unable to determine source directory.");
 }
+
+// Returns the safe default environment variables plus extras needed by 'dotnet run'.
+// Omitting variables the server doesn't need prevents unintentional leakage of
+// credentials or other sensitive values present in the parent process.
+static Dictionary<string, string?> MinimalDotNetEnvironment()
+{
+    var env = StdioClientTransportOptions.GetDefaultEnvironmentVariables();
+    // 'dotnet run' also needs DOTNET_ROOT and NUGET_PACKAGES to find the .NET runtime and package cache.
+    foreach (var key in (string[])["DOTNET_ROOT", "NUGET_PACKAGES"])
+    {
+        var value = Environment.GetEnvironmentVariable(key);
+        if (value is not null)
+        {
+            env[key] = value;
+        }
+    }
+    return env;
+}
diff --git a/src/ModelContextProtocol.Core/Client/StdioClientTransport.cs b/src/ModelContextProtocol.Core/Client/StdioClientTransport.cs
index 24a7dba8e..8f57d462b 100644
--- a/src/ModelContextProtocol.Core/Client/StdioClientTransport.cs
+++ b/src/ModelContextProtocol.Core/Client/StdioClientTransport.cs
@@ -111,6 +111,11 @@ public async Task<ITransport> ConnectAsync(CancellationToken cancellationToken =
 #endif
             }
 
+            if (!_options.InheritEnvironmentVariables)
+            {
+                startInfo.Environment.Clear();
+            }
+
             if (_options.EnvironmentVariables != null)
             {
                 foreach (var entry in _options.EnvironmentVariables)
diff --git a/src/ModelContextProtocol.Core/Client/StdioClientTransportOptions.cs b/src/ModelContextProtocol.Core/Client/StdioClientTransportOptions.cs
index 2d6df08b4..6fe171dff 100644
--- a/src/ModelContextProtocol.Core/Client/StdioClientTransportOptions.cs
+++ b/src/ModelContextProtocol.Core/Client/StdioClientTransportOptions.cs
@@ -1,3 +1,5 @@
+using System.Runtime.InteropServices;
+
 namespace ModelContextProtocol.Client;
 
 /// <summary>
@@ -5,6 +7,90 @@ namespace ModelContextProtocol.Client;
 /// </summary>
 public sealed class StdioClientTransportOptions
 {
+    // Platform-appropriate allowlists, aligned with the TypeScript and Python MCP SDK defaults.
+    // TypeScript adds PROGRAMFILES; Python adds PATHEXT. Both are included here.
+    private static readonly string[] s_defaultWindowsVars =
+    [
+        "APPDATA", "HOMEDRIVE", "HOMEPATH", "LOCALAPPDATA", "PATH", "PATHEXT",
+        "PROCESSOR_ARCHITECTURE", "PROGRAMFILES", "SYSTEMDRIVE", "SYSTEMROOT",
+        "TEMP", "USERNAME", "USERPROFILE",
+    ];
+
+    private static readonly string[] s_defaultUnixVars =
+    [
+        "HOME", "LOGNAME", "PATH", "SHELL", "TERM", "USER",
+    ];
+
+    /// <summary>
+    /// Returns a curated set of environment variables from the current process that are safe to forward to a child
+    /// MCP server process.
+    /// </summary>
+    /// <returns>
+    /// A new <see cref="Dictionary{TKey, TValue}"/> populated with the subset of the current process's environment
+    /// variables that most child processes need to start correctly — for example <c>PATH</c>, <c>HOME</c>, and
+    /// standard system directories. Values that appear to be shell function definitions (those starting with
+    /// <c>()</c>) are excluded for security reasons.
+    /// </returns>
+    /// <remarks>
+    /// <para>
+    /// The allowlist is aligned with the defaults used by the TypeScript and Python MCP SDKs. On Windows it
+    /// includes: <c>APPDATA</c>, <c>HOMEDRIVE</c>, <c>HOMEPATH</c>, <c>LOCALAPPDATA</c>, <c>PATH</c>,
+    /// <c>PATHEXT</c>, <c>PROCESSOR_ARCHITECTURE</c>, <c>PROGRAMFILES</c>, <c>SYSTEMDRIVE</c>,
+    /// <c>SYSTEMROOT</c>, <c>TEMP</c>, <c>USERNAME</c>, and <c>USERPROFILE</c>. On Unix/macOS it includes:
+    /// <c>HOME</c>, <c>LOGNAME</c>, <c>PATH</c>, <c>SHELL</c>, <c>TERM</c>, and <c>USER</c>.
+    /// </para>
+    /// <para>
+    /// This method is designed to be used together with <see cref="InheritEnvironmentVariables"/> set to
+    /// <see langword="false"/>. Pass the returned dictionary as <see cref="EnvironmentVariables"/>, optionally
+    /// adding any server-specific variables the server requires:
+    /// <code>
+    /// var env = StdioClientTransportOptions.GetDefaultEnvironmentVariables();
+    /// env["MY_SERVER_API_KEY"] = apiKey;
+    ///
+    /// var transport = new StdioClientTransport(new StdioClientTransportOptions
+    /// {
+    ///     Command = "my-mcp-server",
+    ///     InheritEnvironmentVariables = false,
+    ///     EnvironmentVariables = env,
+    /// });
+    /// </code>
+    /// </para>
+    /// <para>
+    /// If the server requires additional variables not in the default set (such as <c>DOTNET_ROOT</c>,
+    /// <c>JAVA_HOME</c>, or proxy settings), add them explicitly after calling this method.
+    /// </para>
+    /// </remarks>
+    public static Dictionary<string, string?> GetDefaultEnvironmentVariables()
+    {
+        var names = RuntimeInformation.IsOSPlatform(OSPlatform.Windows)
+            ? s_defaultWindowsVars
+            : s_defaultUnixVars;
+
+        var result = new Dictionary<string, string?>(
+            RuntimeInformation.IsOSPlatform(OSPlatform.Windows)
+                ? StringComparer.OrdinalIgnoreCase
+                : StringComparer.Ordinal);
+        foreach (var name in names)
+        {
+            var value = Environment.GetEnvironmentVariable(name);
+            if (value is null)
+            {
+                continue;
+            }
+
+            if (value.StartsWith("()", StringComparison.Ordinal))
+            {
+                // Skip shell function definitions — they are a security risk.
+                continue;
+            }
+
+            result[name] = value;
+        }
+
+        return result;
+    }
+
+
     /// <summary>
     /// Gets or sets the command to execute to start the server process.
     /// </summary>
@@ -38,6 +124,44 @@ public required string Command
     /// </summary>
     public string? WorkingDirectory { get; set; }
 
+    /// <summary>
+    /// Gets or sets a value indicating whether the server process should inherit the current process's environment variables.
+    /// </summary>
+    /// <value>
+    /// <see langword="true"/> to inherit the current process's environment variables (the default); <see langword="false"/>
+    /// to start the server process with an empty environment and only the variables explicitly provided via
+    /// <see cref="EnvironmentVariables"/>.
+    /// </value>
+    /// <remarks>
+    /// <para>
+    /// When <see langword="true"/> (the default), the server process starts with all of the current process's environment
+    /// variables. Any entries in <see cref="EnvironmentVariables"/> are then applied on top, adding or overwriting inherited
+    /// variables.
+    /// </para>
+    /// <para>
+    /// When <see langword="false"/>, the server process starts with a completely empty environment. The <see cref="EnvironmentVariables"/>
+    /// dictionary is the sole source of environment variables for the child process. This is useful when you want to minimize
+    /// the attack surface by preventing credentials, tokens, proxy settings, and other sensitive values present in the current
+    /// environment from unintentionally reaching the child process.
+    /// </para>
+    /// <para>
+    /// <strong>Security consideration:</strong> Inheriting environment variables (the default) can unintentionally expose
+    /// sensitive values to the child process. Variables such as <c>AWS_SECRET_ACCESS_KEY</c>, <c>GITHUB_TOKEN</c>,
+    /// <c>OPENAI_API_KEY</c>, and similar credentials that are present in the parent process will automatically flow into
+    /// the server process, which may be undesirable when running third-party or untrusted MCP servers.
+    /// </para>
+    /// <para>
+    /// <strong>Compatibility consideration:</strong> Disabling inheritance can cause the child process to fail to start or
+    /// behave unexpectedly if it relies on variables provided by the operating system or the user's shell environment.
+    /// <see cref="GetDefaultEnvironmentVariables"/> covers the most common requirements — <c>PATH</c>, <c>HOME</c>, and
+    /// standard system directories — and is a safe starting point for most servers. For servers that also need variables
+    /// outside that set (such as <c>DOTNET_ROOT</c>, <c>LD_LIBRARY_PATH</c>, <c>JAVA_HOME</c>, or proxy settings like
+    /// <c>HTTP_PROXY</c>, <c>HTTPS_PROXY</c>, and <c>NO_PROXY</c>), add them explicitly via <see cref="EnvironmentVariables"/>
+    /// after calling <see cref="GetDefaultEnvironmentVariables"/>.
+    /// </para>
+    /// </remarks>
+    public bool InheritEnvironmentVariables { get; set; } = true;
+
     /// <summary>
     /// Gets or sets environment variables to set for the server process.
     /// </summary>
@@ -48,10 +172,14 @@ public required string Command
     /// to the server without modifying its code.
     /// </para>
     /// <para>
-    /// By default, when starting the server process, the server process will inherit the current environment's variables,
-    /// as discovered via <see cref="Environment.GetEnvironmentVariables()"/>. After those variables are found, the entries
-    /// in this <see cref="EnvironmentVariables"/> dictionary are used to augment and overwrite the entries read from the environment.
-    /// That includes removing the variables for any of this collection's entries with a null value.
+    /// When <see cref="InheritEnvironmentVariables"/> is <see langword="true"/> (the default), the server process starts with
+    /// all environment variables inherited from the current process. The entries in this <see cref="EnvironmentVariables"/>
+    /// dictionary are then applied on top: adding new variables, overwriting inherited ones, or removing variables whose
+    /// value is set to <see langword="null"/>.
+    /// </para>
+    /// <para>
+    /// When <see cref="InheritEnvironmentVariables"/> is <see langword="false"/>, the server process starts with an empty
+    /// environment. This dictionary is the sole source of environment variables for the child process.
     /// </para>
     /// </remarks>
     public IDictionary<string, string?>? EnvironmentVariables { get; set; }
diff --git a/tests/ModelContextProtocol.Tests/Transport/StdioClientTransportTests.cs b/tests/ModelContextProtocol.Tests/Transport/StdioClientTransportTests.cs
index 1a999fd14..41e6c7a6c 100644
--- a/tests/ModelContextProtocol.Tests/Transport/StdioClientTransportTests.cs
+++ b/tests/ModelContextProtocol.Tests/Transport/StdioClientTransportTests.cs
@@ -150,6 +150,111 @@ public async Task EscapesCliArgumentsCorrectly(string? cliArgumentValue)
         Assert.Equal(cliArgumentValue ?? "", content.Text);
     }
 
+    [Fact(Skip = "Platform not supported by this test.", SkipUnless = nameof(IsStdErrCallbackSupported))]
+    public async Task InheritEnvironmentVariables_DefaultTrue_ChildSeesParentEnvVars()
+    {
+        // Check the same variable the False test checks for absence (HOME on Unix, USERNAME on Windows)
+        // so the two tests form a direct symmetric pair: one asserts it IS set, the other asserts it is NOT.
+        var tcs = new TaskCompletionSource<string>();
+        StdioClientTransport transport = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ?
+            new(new() { Command = "cmd", Arguments = ["/c", "if defined USERNAME (echo USERNAME_IS_SET >&2) else (echo USERNAME_NOT_SET >&2) & exit /b 1"], StandardErrorLines = line => tcs.TrySetResult(line) }, LoggerFactory) :
+            new(new() { Command = "sh", Arguments = ["-c", "if [ -n \"$HOME\" ]; then echo HOME_IS_SET >&2; else echo HOME_NOT_SET >&2; fi; exit 1"], StandardErrorLines = line => tcs.TrySetResult(line) }, LoggerFactory);
+
+        await Assert.ThrowsAnyAsync<IOException>(() => McpClient.CreateAsync(transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken));
+
+        using var cts = new CancellationTokenSource(TestConstants.DefaultTimeout);
+        string capturedLine = await tcs.Task.WaitAsync(cts.Token);
+
+        Assert.Equal(RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? "USERNAME_IS_SET" : "HOME_IS_SET", capturedLine.Trim());
+    }
+
+    [Fact(Skip = "Platform not supported by this test.", SkipUnless = nameof(IsStdErrCallbackSupported))]
+    public async Task InheritEnvironmentVariables_False_ChildDoesNotSeeParentEnvVars()
+    {
+        // Pass PATH so cmd/sh can be located. Verify that HOME (Unix) / USERNAME (Windows),
+        // which are always set in the parent, are absent because they were not explicitly provided.
+        var tcs = new TaskCompletionSource<string>();
+        StdioClientTransport transport = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ?
+            new(new()
+            {
+                Command = "cmd",
+                Arguments = ["/c", "if defined USERNAME (echo USERNAME_IS_SET >&2) else (echo USERNAME_NOT_SET >&2) & exit /b 1"],
+                InheritEnvironmentVariables = false,
+                EnvironmentVariables = new Dictionary<string, string?> { ["PATH"] = Environment.GetEnvironmentVariable("PATH") },
+                StandardErrorLines = line => tcs.TrySetResult(line)
+            }, LoggerFactory) :
+            new(new()
+            {
+                Command = "sh",
+                Arguments = ["-c", "if [ -n \"$HOME\" ]; then echo HOME_IS_SET >&2; else echo HOME_NOT_SET >&2; fi; exit 1"],
+                InheritEnvironmentVariables = false,
+                EnvironmentVariables = new Dictionary<string, string?> { ["PATH"] = Environment.GetEnvironmentVariable("PATH") },
+                StandardErrorLines = line => tcs.TrySetResult(line)
+            }, LoggerFactory);
+
+        await Assert.ThrowsAnyAsync<IOException>(() => McpClient.CreateAsync(transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken));
+
+        using var cts = new CancellationTokenSource(TestConstants.DefaultTimeout);
+        string capturedLine = await tcs.Task.WaitAsync(cts.Token);
+
+        // HOME / USERNAME were in the parent but not passed — should be absent in the child.
+        Assert.Equal(RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? "USERNAME_NOT_SET" : "HOME_NOT_SET", capturedLine.Trim());
+    }
+
+    [Fact(Skip = "Platform not supported by this test.", SkipUnless = nameof(IsStdErrCallbackSupported))]
+    public async Task InheritEnvironmentVariables_False_WithExplicitVars_ChildSeesOnlyExplicitVars()
+    {
+        // Pass PATH + one explicit var. Verify HOME (Unix) / USERNAME (Windows) is absent,
+        // and the explicitly provided variable is visible.
+        const string explicitVarName = "MCP_STDIO_TEST_EXPLICIT_VAR";
+        const string explicitVarValue = "explicit_test_value";
+
+        var capturedLines = new List<string>();
+        var lineCount = 0;
+        var tcs = new TaskCompletionSource<bool>();
+        void CaptureLines(string line)
+        {
+            lock (capturedLines)
+            {
+                capturedLines.Add(line.Trim());
+                if (Interlocked.Increment(ref lineCount) >= 2)
+                    tcs.TrySetResult(true);
+            }
+        }
+
+        StdioClientTransport transport = RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ?
+            new(new()
+            {
+                Command = "cmd",
+                Arguments = ["/c",
+                    $"if defined USERNAME (echo USERNAME_IS_SET >&2) else (echo USERNAME_NOT_SET >&2) " +
+                    $"& if defined {explicitVarName} (echo EXPLICIT_IS_SET >&2) else (echo EXPLICIT_NOT_SET >&2) " +
+                    $"& exit /b 1"],
+                InheritEnvironmentVariables = false,
+                EnvironmentVariables = new Dictionary<string, string?> { ["PATH"] = Environment.GetEnvironmentVariable("PATH"), [explicitVarName] = explicitVarValue },
+                StandardErrorLines = CaptureLines
+            }, LoggerFactory) :
+            new(new()
+            {
+                Command = "sh",
+                Arguments = ["-c",
+                    $"if [ -n \"$HOME\" ]; then echo HOME_IS_SET >&2; else echo HOME_NOT_SET >&2; fi; " +
+                    $"if [ -n \"${explicitVarName}\" ]; then echo EXPLICIT_IS_SET >&2; else echo EXPLICIT_NOT_SET >&2; fi; exit 1"],
+                InheritEnvironmentVariables = false,
+                EnvironmentVariables = new Dictionary<string, string?> { ["PATH"] = Environment.GetEnvironmentVariable("PATH"), [explicitVarName] = explicitVarValue },
+                StandardErrorLines = CaptureLines
+            }, LoggerFactory);
+
+        await Assert.ThrowsAnyAsync<IOException>(() => McpClient.CreateAsync(transport, loggerFactory: LoggerFactory, cancellationToken: TestContext.Current.CancellationToken));
+
+        using var cts = new CancellationTokenSource(TestConstants.DefaultTimeout);
+        await tcs.Task.WaitAsync(cts.Token);
+
+        string allOutput = string.Join(Environment.NewLine, capturedLines);
+        Assert.Contains(RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? "USERNAME_NOT_SET" : "HOME_NOT_SET", allOutput);
+        Assert.Contains("EXPLICIT_IS_SET", allOutput);
+    }
+
     [Fact]
     public async Task SendMessageAsync_Should_Use_LF_Not_CRLF()
     {