diff --git a/awx/main/tasks.py b/awx/main/tasks.py
index a48b7a3b19..6a448a1b7b 100644
--- a/awx/main/tasks.py
+++ b/awx/main/tasks.py
@@ -478,16 +478,17 @@ class BaseTask(Task):
         '''
         hidden_re = re.compile(r'API|TOKEN|KEY|SECRET|PASS', re.I)
         urlpass_re = re.compile(r'^.*?://[^:]+:(.*?)@.*?$')
-        for k,v in env.items():
+        safe_env = dict(env)
+        for k,v in safe_env.items():
             if k in ('REST_API_URL', 'AWS_ACCESS_KEY', 'AWS_ACCESS_KEY_ID'):
                 continue
             elif k.startswith('ANSIBLE_') and not k.startswith('ANSIBLE_NET'):
                 continue
             elif hidden_re.search(k):
-                env[k] = HIDDEN_PASSWORD
+                safe_env[k] = HIDDEN_PASSWORD
             elif type(v) == str and urlpass_re.match(v):
-                env[k] = urlpass_re.sub(HIDDEN_PASSWORD, v)
-        return env
+                safe_env[k] = urlpass_re.sub(HIDDEN_PASSWORD, v)
+        return safe_env
 
     def args2cmdline(self, *args):
         return ' '.join([pipes.quote(a) for a in args])
diff --git a/awx/main/tests/unit/test_tasks.py b/awx/main/tests/unit/test_tasks.py
index 387506ce4c..16b9bc6b14 100644
--- a/awx/main/tests/unit/test_tasks.py
+++ b/awx/main/tests/unit/test_tasks.py
@@ -84,6 +84,12 @@ def test_safe_env_filtering(key, value):
     assert task.build_safe_env({key: value})[key] == tasks.HIDDEN_PASSWORD
 
 
+def test_safe_env_returns_new_copy():
+    task = tasks.RunJob()
+    env = {'foo': 'bar'}
+    assert task.build_safe_env(env) is not env
+
+
 def test_openstack_client_config_generation(mocker):
     update = tasks.RunInventoryUpdate()
     inventory_update = mocker.Mock(**{