diff --git a/.changelog/27001.txt b/.changelog/27001.txt
new file mode 100644
index 00000000000..5fb082500b7
--- /dev/null
+++ b/.changelog/27001.txt
@@ -0,0 +1,3 @@
+```release-note:security
+job: Disallow tasks using the name "alloc" which breaks inter-task filesystem isolation
+```
diff --git a/nomad/structs/structs.go b/nomad/structs/structs.go
index 968eb2bd2cb..f1803950b83 100644
--- a/nomad/structs/structs.go
+++ b/nomad/structs/structs.go
@@ -8113,6 +8113,12 @@ func (t *Task) Validate(jobType string, tg *TaskGroup) error {
 	if t.Name == "" {
 		mErr.Errors = append(mErr.Errors, errors.New("Missing task name"))
 	}
+
+	// Tasks cannot be named "alloc" as this conflicts with and breaks task
+	// filesystem isolation features.
+	if t.Name == "alloc" {
+		mErr.Errors = append(mErr.Errors, errors.New("Task cannot be named \"alloc\""))
+	}
 	if strings.ContainsAny(t.Name, `/\`) {
 		// We enforce this so that when creating the directory on disk it will
 		// not have any slashes.
diff --git a/nomad/structs/structs_test.go b/nomad/structs/structs_test.go
index 774e30fe01c..51b037100af 100644
--- a/nomad/structs/structs_test.go
+++ b/nomad/structs/structs_test.go
@@ -2237,6 +2237,10 @@ func TestTask_Validate(t *testing.T) {
 		"task level: distinct_hosts",
 		"task level: distinct_property",
 	)
+
+	// Ensure the task name "alloc" is invalid.
+	invalidAllocName := &Task{Name: "alloc"}
+	must.ErrorContains(t, invalidAllocName.Validate(JobTypeBatch, tg), "Task cannot be named")
 }
 
 func TestTask_Validate_Resources(t *testing.T) {