PHPUnit Vulnerability Allows RCE via INI Setting Injection
The National Vulnerability Database (NVD) has detailed CVE-2026-41570, a critical flaw in PHPUnit affecting versions 12.5.21 and 13.1.5. This vulnerability arises because PHPUnit passes INI settings to child processes as command-line arguments without proper sanitization. Attackers can exploit this by injecting newline characters within an INI value, causing the child process to parse additional, attacker-controlled directives. The NVD highlights that this can lead to the injection of directives like auto_prepend_file, enabling remote code execution within the isolated test environment.
What This Means For You
- If your development or CI/CD pipeline uses vulnerable versions of PHPUnit, you must patch immediately to versions 12.5.22 or 13.1.6. The ability to inject `auto_prepend_file` means an attacker could potentially execute arbitrary code in the context of your testing environment, leading to further compromise of build systems or sensitive data exposure.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
PHPUnit RCE via INI Setting Injection (CVE-2026-41570) - Free Tier
title: PHPUnit RCE via INI Setting Injection (CVE-2026-41570) - Free Tier
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
Detects the execution of PHPUnit with the '-d auto_prepend_file=' argument, which is a key indicator of the CVE-2026-41570 vulnerability being exploited to achieve remote code execution by injecting INI settings.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41570/
tags:
- attack.execution
- attack.t1059.007
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'phpunit'
CommandLine|contains:
- '-d auto_prepend_file='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41570 | RCE | PHPUnit versions 12.5.21 and 13.1.5 |
| CVE-2026-41570 | Code Injection | PHPUnit forwarding PHP INI settings to child processes via -d name=value without neutralizing INI metacharacters |
| CVE-2026-41570 | Misconfiguration | Injection of arbitrary INI directives (e.g., auto_prepend_file, extension, disable_functions, open_basedir) in PHPUnit child processes |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 08, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...