CVE-2026-41570 Overview
CVE-2026-41570 is an argument injection vulnerability [CWE-88] in PHPUnit, a widely used testing framework for PHP. Affected versions 12.5.21 and 13.1.5 forward PHP INI settings to child processes as -d name=value command-line arguments without neutralizing INI metacharacters. An attacker who can influence a single INI value can inject additional directives, including auto_prepend_file, into the child process configuration. Setting auto_prepend_file to an attacker-controlled path achieves code execution in the child PHP process. The maintainers patched the issue in versions 12.5.22 and 13.1.6.
Critical Impact
Attackers controlling a single forwarded INI value can inject arbitrary directives and execute code in PHPUnit child processes used for isolated and PHPT test execution.
Affected Products
- PHPUnit 12.5.21
- PHPUnit 13.1.5
- PHP projects relying on PHPUnit for isolated or PHPT test execution
Discovery Timeline
- 2026-05-08 - CVE-2026-41570 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-41570
Vulnerability Analysis
PHPUnit spawns child PHP processes to run tests in isolation and to execute PHPT files. When doing so, it forwards INI settings from the parent configuration to the child process using -d name=value command-line arguments. The framework does not sanitize the value portion before passing it to the child interpreter.
PHP's INI parser treats specific characters as syntax. The double quote acts as a string delimiter, the semicolon marks the start of a comment, and a newline separates directives. A value containing a newline is parsed by the child as multiple INI directives rather than a single setting.
An attacker who controls one INI value can append directives such as auto_prepend_file, extension, disable_functions, or open_basedir. Pointing auto_prepend_file at an attacker-controlled file causes PHP to execute that file before the requested script runs, yielding code execution in the child process.
Root Cause
The root cause is missing input neutralization before constructing child process arguments [CWE-88]. PHPUnit concatenates INI values into the command line without escaping or rejecting newline, quote, and comment characters that carry syntactic meaning to PHP's INI parser.
Attack Vector
Exploitation requires local access and the ability to influence at least one INI value that PHPUnit forwards to a child process. This can occur in continuous integration pipelines, shared development environments, or any workflow where untrusted input flows into PHPUnit's INI configuration. Once a newline-containing value is forwarded, the child PHP interpreter parses injected directives and loads attacker-controlled code.
The vulnerability is a parser-level injection. No verified public exploit code is published.
See the GHSA-qrr6-mg7r-m243 advisory for technical details on the injection primitive.
Detection Methods for CVE-2026-41570
Indicators of Compromise
- Unexpected auto_prepend_file, auto_append_file, or extension directives appearing in child PHP process command lines spawned by PHPUnit.
- PHPUnit -d arguments containing newline characters, embedded quotes, or semicolons.
- PHP child processes loading files outside the project source tree during test runs.
Detection Strategies
- Inspect process command-line telemetry for php invocations originating from PHPUnit that contain suspicious -d payloads or non-printable characters.
- Audit test runner logs and CI job artifacts for unexpected INI directives or file reads outside the workspace.
- Run software composition analysis to flag PHPUnit 12.5.21 or 13.1.5 in project dependencies and lockfiles.
Monitoring Recommendations
- Track child process creation events from PHPUnit, capturing full command lines for forensic review.
- Alert on PHP processes reading or including files from world-writable directories during test execution.
- Monitor changes to CI environment variables and configuration files that feed INI values into PHPUnit.
How to Mitigate CVE-2026-41570
Immediate Actions Required
- Upgrade PHPUnit to version 12.5.22 or 13.1.6 across development, CI, and build environments.
- Audit project configuration and CI pipelines for INI values sourced from untrusted input passed to PHPUnit.
- Rotate any secrets or credentials accessible to test runners on hosts that ran vulnerable PHPUnit versions.
Patch Information
The maintainers fixed the issue in PHPUnit 12.5.22 and 13.1.6. The fix neutralizes INI metacharacters before forwarding values to child processes. Patch details are available in the PHPUnit Pull Request #6592 and the GHSA-qrr6-mg7r-m243 Security Advisory.
Workarounds
- Restrict PHPUnit execution to trusted INI inputs and reject values containing newline, quote, or semicolon characters.
- Run test suites in ephemeral, isolated containers with open_basedir restrictions and read-only filesystem mounts where feasible.
- Remove or guard environment variables that influence PHP INI settings during CI test execution.
# Upgrade PHPUnit via Composer to a patched release
composer require --dev phpunit/phpunit:^13.1.6
# Or for the 12.x branch
composer require --dev phpunit/phpunit:^12.5.22
# Verify the installed version
./vendor/bin/phpunit --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
