diff --git a/.changelog/11215.txt b/.changelog/11215.txt
new file mode 100644
index 000000000000..89e42cab2b02
--- /dev/null
+++ b/.changelog/11215.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+client: Added `NOMAD_LICENSE` to default environment variable deny list.
+```
diff --git a/client/config/config.go b/client/config/config.go
index cb90561a0ef5..7d19db9574fa 100644
--- a/client/config/config.go
+++ b/client/config/config.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/nomad/client/lib/cgutil"
+	"github.com/hashicorp/nomad/command/agent/host"
 
 	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/nomad/client/state"
@@ -23,14 +24,7 @@ import (
 var (
 	// DefaultEnvDenylist is the default set of environment variables that are
 	// filtered when passing the environment variables of the host to a task.
-	// duplicated in command/agent/host, update that if this changes.
-	DefaultEnvDenylist = strings.Join([]string{
-		"CONSUL_TOKEN",
-		"CONSUL_HTTP_TOKEN",
-		"VAULT_TOKEN",
-		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-		"GOOGLE_APPLICATION_CREDENTIALS",
-	}, ",")
+	DefaultEnvDenylist = strings.Join(host.DefaultEnvDenyList, ",")
 
 	// DefaultUserDenylist is the default set of users that tasks are not
 	// allowed to run as when using a driver in "user.checked_drivers"
diff --git a/command/agent/host/host.go b/command/agent/host/host.go
index 1940a01d22c8..9119f7b96ccc 100644
--- a/command/agent/host/host.go
+++ b/command/agent/host/host.go
@@ -87,20 +87,25 @@ func environment() map[string]string {
 	return env
 }
 
+// DefaultEnvDenyList is the default set of environment variables that are
+// filtered when passing the environment variables of the host to the task.
+//
+// Update https://www.nomadproject.io/docs/configuration/client#env-denylist
+// whenever this is changed.
+var DefaultEnvDenyList = []string{
+	"CONSUL_TOKEN",
+	"CONSUL_HTTP_TOKEN",
+	"VAULT_TOKEN",
+	"NOMAD_LICENSE",
+	"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
+	"GOOGLE_APPLICATION_CREDENTIALS",
+}
+
 // makeEnvRedactSet creates a set of well known environment variables that should be
 // redacted in the output
 func makeEnvRedactSet() map[string]struct{} {
-	// Duplicated from config.DefaultEnvBlacklist in order to avoid an import cycle
-	configDefault := []string{
-		"CONSUL_TOKEN",
-		"CONSUL_HTTP_TOKEN",
-		"VAULT_TOKEN",
-		"AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN",
-		"GOOGLE_APPLICATION_CREDENTIALS",
-	}
-
 	set := make(map[string]struct{})
-	for _, e := range configDefault {
+	for _, e := range DefaultEnvDenyList {
 		set[e] = struct{}{}
 	}
 
diff --git a/website/content/docs/configuration/client.mdx b/website/content/docs/configuration/client.mdx
index a7cb7a134e29..f67c790ae129 100644
--- a/website/content/docs/configuration/client.mdx
+++ b/website/content/docs/configuration/client.mdx
@@ -235,6 +235,7 @@ see the [drivers documentation](/docs/drivers).
   CONSUL_TOKEN
   CONSUL_HTTP_TOKEN
   VAULT_TOKEN
+  NOMAD_LICENSE
   AWS_ACCESS_KEY_ID
   AWS_SECRET_ACCESS_KEY
   AWS_SESSION_TOKEN