diff --git a/cli/login.go b/cli/login.go
index 9658edb835c2e..e068077539f4a 100644
--- a/cli/login.go
+++ b/cli/login.go
@@ -153,7 +153,7 @@ func login() *cobra.Command {
 
 			authURL := *serverURL
 			authURL.Path = serverURL.Path + "/cli-auth"
-			if err := openURL(authURL.String()); err != nil {
+			if err := openURL(cmd, authURL.String()); err != nil {
 				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Open the following in your browser:\n\n\t%s\n\n", authURL.String())
 			} else {
 				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Your browser has been opened to visit:\n\n\t%s\n\n", authURL.String())
@@ -211,21 +211,22 @@ func isWSL() (bool, error) {
 }
 
 // openURL opens the provided URL via user's default browser
-func openURL(urlToOpen string) error {
-	var cmd string
-	var args []string
-
+func openURL(cmd *cobra.Command, urlToOpen string) error {
+	noOpen, err := cmd.Flags().GetBool(varNoOpen)
+	if err != nil {
+		panic(err)
+	}
+	if noOpen {
+		return xerrors.New("opening is blocked")
+	}
 	wsl, err := isWSL()
 	if err != nil {
 		return xerrors.Errorf("test running Windows Subsystem for Linux: %w", err)
 	}
 
 	if wsl {
-		cmd = "cmd.exe"
-		args = []string{"/c", "start"}
-		urlToOpen = strings.ReplaceAll(urlToOpen, "&", "^&")
-		args = append(args, urlToOpen)
-		return exec.Command(cmd, args...).Start()
+		// #nosec
+		return exec.Command("cmd.exe", "/c", "start", strings.ReplaceAll(urlToOpen, "&", "^&")).Start()
 	}
 
 	return browser.OpenURL(urlToOpen)
diff --git a/cli/login_test.go b/cli/login_test.go
index e9f3cc13ecf3f..08b7f8f69370a 100644
--- a/cli/login_test.go
+++ b/cli/login_test.go
@@ -69,7 +69,7 @@ func TestLogin(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty")
+		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty", "--no-open")
 		pty := ptytest.New(t)
 		root.SetIn(pty.Input())
 		root.SetOut(pty.Output())
@@ -94,7 +94,7 @@ func TestLogin(t *testing.T) {
 		})
 		require.NoError(t, err)
 
-		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty")
+		root, _ := clitest.New(t, "login", client.URL.String(), "--force-tty", "--no-open")
 		pty := ptytest.New(t)
 		root.SetIn(pty.Input())
 		root.SetOut(pty.Output())
diff --git a/cli/root.go b/cli/root.go
index 55e2b4c1d65ef..0c7358453d1e0 100644
--- a/cli/root.go
+++ b/cli/root.go
@@ -20,6 +20,7 @@ import (
 
 const (
 	varGlobalConfig = "global-config"
+	varNoOpen       = "no-open"
 	varForceTty     = "force-tty"
 )
 
@@ -71,6 +72,11 @@ func Root() *cobra.Command {
 		// This should never return an error, because we just added the `--force-tty`` flag prior to calling MarkHidden.
 		panic(err)
 	}
+	cmd.PersistentFlags().Bool(varNoOpen, false, "Block automatically opening URLs in the browser.")
+	err = cmd.PersistentFlags().MarkHidden(varNoOpen)
+	if err != nil {
+		panic(err)
+	}
 
 	return cmd
 }