CVE-2026-41570
Analyzed Analyzed - Analysis Complete
PHPUnit INI Injection Leading to Remote Code Execution

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets " as a string delimiter, ; as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives. An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including auto_prepend_file, extension, disable_functions, open_basedir, and others. Setting auto_prepend_file to an attacker-controlled path yields remote code execution in the child process. This issue has been patched in versions 12.5.22 and 13.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41570
EUVD
EUVD-2026-28649
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
phpunit_project phpunit 12.5.21
phpunit_project phpunit 13.1.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
CWE-88 The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in PHPUnit versions 12.5.21 and 13.1.5, where PHPUnit forwards PHP INI settings to child processes as command-line arguments without properly neutralizing special INI metacharacters.

Because PHP's INI parser treats certain characters like double quotes (") as string delimiters, semicolons (;) as comment starters, and newlines as directive separators, an attacker who can influence a single INI value can inject multiple additional INI directives into the child process configuration.

This injection can include dangerous directives such as auto_prepend_file, extension, disable_functions, and open_basedir. For example, setting auto_prepend_file to a malicious file path can lead to remote code execution in the child process.

The issue was fixed in versions 12.5.22 and 13.1.6 of PHPUnit.

Compliance Impact

The provided information does not explicitly address how the vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

Detection of this vulnerability involves auditing PHPUnit configurations and PHP INI settings that are forwarded to child processes, especially looking for INI values containing newline characters or other metacharacters like quotes and semicolons that could be exploited.

You can check for vulnerable PHPUnit versions (12.5.21 and 13.1.5) installed on your system by running commands such as:

  • phpunit --version
  • composer show phpunit/phpunit

To detect potentially malicious or suspicious INI settings, you can search for phpunit.xml or other configuration files containing newline characters or suspicious directives like auto_prepend_file:

  • grep -P '\n' path/to/phpunit.xml
  • grep -r --include=phpunit.xml 'auto_prepend_file' /path/to/project

Additionally, monitoring child process command-line arguments for unexpected -d name=value pairs containing metacharacters can help detect exploitation attempts.

Impact Analysis

This vulnerability can allow an attacker with the ability to influence a single PHP INI setting to inject arbitrary configuration directives into PHPUnit's child processes.

Such injection can lead to remote code execution, meaning the attacker could execute malicious code on the affected system with the privileges of the PHPUnit process.

This can compromise the confidentiality, integrity, and availability of the system running PHPUnit, potentially leading to data breaches, system manipulation, or denial of service.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade PHPUnit to versions 12.5.22 or 13.1.6 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart