EXECUTIVE SUMMARY:
CVE-2026-41570 with a CVSS score of 7.8 is a critical argument injection vulnerability in PHPUnit, the industry-standard testing framework, that affects versions 12.5.21, 13.1.5. The flaw lies in how PHPUnit forwards configuration settings to child processes during isolated test execution, passing these settings as command-line arguments without properly neutralizing special characters, which allows PHP's INI parser to interpret a newline as a directive separator. Attackers can exploit this vulnerability by injecting a newline into a single INI value, "breaking out" and inserting entirely new configuration directives, such as setting the auto_prepend_file to a malicious path, yielding Remote Code Execution (RCE) the moment the child process starts. The most realistic exploitation scenario involves Poisoned Pipeline Execution (PPE), where an untrusted contributor submits a pull request modifying the project's phpunit .xml file to include a malicious newline character, which can easily slip past human auditors. If the CI system runs PHPUnit against the un-vetted pull request without strict isolation, the build server is immediately compromised, resulting in a significant business impact and consequences, including unauthorized data access and disruption of automated build and integration environments.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41570 with a CVSS score of 7.8 is a critical argument injection vulnerability in PHPUnit, the industry-standard testing framework, that affects versions 12.5.21, 13.1.5. The flaw lies in how PHPUnit forwards configuration settings to child processes during isolated test execution, passing these settings as command-line arguments without properly neutralizing special characters, which allows PHP's INI parser to interpret a newline as a directive separator. Attackers can exploit this vulnerability by injecting a newline into a single INI value, "breaking out" and inserting entirely new configuration directives, such as setting the auto_prepend_file to a malicious path, yielding Remote Code Execution (RCE) the moment the child process starts. The most realistic exploitation scenario involves Poisoned Pipeline Execution (PPE), where an untrusted contributor submits a pull request modifying the project's phpunit .xml file to include a malicious newline character, which can easily slip past human auditors. If the CI system runs PHPUnit against the un-vetted pull request without strict isolation, the build server is immediately compromised, resulting in a significant business impact and consequences, including unauthorized data access and disruption of automated build and integration environments.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update PHPUnit to version 12.5.22, 13.1.6.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/phpunit-rce-vulnerability-cve-2026-41570-pipeline-risk/