diff --git a/CHANGELOG.md b/CHANGELOG.md
index f246370..0097b73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
 ## Unreleased
 
+Major (Breaking Change):
+
+* `exportEnv` now defaults to `false`. If you relied on that feature please switch it to `true` or reference via outputs.
+  This change was made to facilitate a better default supply chain security position. (https://github.com/hashicorp/vault-action/pull/598)
+
 ## 3.4.0 (June 13, 2025)
 
 Bugs:
diff --git a/README.md b/README.md
index ad34e50..47c2fdc 100644
--- a/README.md
+++ b/README.md
@@ -357,7 +357,7 @@ steps:
     run: "my-cli --token '${{ steps.secrets.outputs.npmToken }}'"
 ```
 
-_**Note:** If you'd like to only use outputs and disable automatic environment variables, you can set the `exportEnv` option to `false`._
+_**Note:** By default, environment variable export is disabled. If you’d like to enable automatic environment variables, you can set the `exportEnv` option to `true`._
 
 ### Set Output Variable Name
 
@@ -403,7 +403,7 @@ with:
     secret/data/ci/aws * | MYAPP_ ;
 ```
 
-When using the `exportEnv` option all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
+When using the `exportEnv` option (when enabled), all exported keys will be normalized to uppercase. For example, the key `SecretKey` would be exported as `MYAPP_SECRETKEY`.
 You can disable uppercase normalization by specifying double asterisks `**` in the selector path:
 
 ```yaml
@@ -675,9 +675,9 @@ A string of newline separated extra headers to include on every request.
 ### `exportEnv`
 
 **Type: `string`**\
-**Default: `true`**
+**Default: `false`**
 
-Whether or not to export secrets as environment variables.
+Whether or not to export secrets as environment variables.  This is disabled by default and must be explicitly enabled if environment variable export is desired.
 
 ### `exportToken`
 
diff --git a/action.yml b/action.yml
index 3885b39..d7913af 100644
--- a/action.yml
+++ b/action.yml
@@ -56,7 +56,7 @@ inputs:
     required: false
   exportEnv:
     description: 'Whether or not export secrets as environment variables.'
-    default: 'true'
+    default: 'false'
     required: false
   exportToken:
     description: 'Whether or not export Vault token as environment variables.'