diff --git a/changelogs/fragments/ensure_discovery_unsafe.yml b/changelogs/fragments/ensure_discovery_unsafe.yml
new file mode 100644
index 00000000000..10a001a021d
--- /dev/null
+++ b/changelogs/fragments/ensure_discovery_unsafe.yml
@@ -0,0 +1,3 @@
+bugfixes:
+    - SECURITY Fixed the python interpreter detection, added in 2.8.0alpha1, to properly mark the returned data as untemplatable.
+      This prevents a malicious managed machine from running code on the controller via templating.
diff --git a/lib/ansible/plugins/action/__init__.py b/lib/ansible/plugins/action/__init__.py
index ba70552bf1a..8eb198a78f4 100644
--- a/lib/ansible/plugins/action/__init__.py
+++ b/lib/ansible/plugins/action/__init__.py
@@ -29,7 +29,7 @@ from ansible.module_utils._text import to_bytes, to_native, to_text
 from ansible.parsing.utils.jsonify import jsonify
 from ansible.release import __version__
 from ansible.utils.display import Display
-from ansible.utils.unsafe_proxy import wrap_var
+from ansible.utils.unsafe_proxy import wrap_var, AnsibleUnsafeText
 from ansible.vars.clean import remove_internal_keys
 
 display = Display()
@@ -203,11 +203,11 @@ class ActionBase(with_metaclass(ABCMeta, object)):
                                                                             environment=final_environment)
                 break
             except InterpreterDiscoveryRequiredError as idre:
-                self._discovered_interpreter = discover_interpreter(
+                self._discovered_interpreter = AnsibleUnsafeText(discover_interpreter(
                     action=self,
                     interpreter_name=idre.interpreter_name,
                     discovery_mode=idre.discovery_mode,
-                    task_vars=task_vars)
+                    task_vars=task_vars))
 
                 # update the local task_vars with the discovered interpreter (which might be None);
                 # we'll propagate back to the controller in the task result