Critical PHPUnit CVE-2026-24765: How Unsafe Coverage Files Enable RCE in CI/CD Pipelines

Multiple security organizations have reported that attackers can exploit a high‑risk vulnerability (CVE‑2026‑24765) in PHPUnit by supplying malicious coverage files, which leads to unsafe deserialization and turns CI/CD testing pipelines into a remote code execution (RCE) entry point.

PHPUnit is a core unit‑testing tool in the PHP ecosystem, often integrated into automated CI/CD workflows for continuous quality verification. The vulnerability originates from the cleanupForCoverage() routine used during PHPT test execution, which reads and deserializes .coverage files without thorough validation.

When the test environment enables coverage collection, an attacker who can pre‑write a crafted coverage file can trigger deserialization of a malicious object, causing arbitrary code execution on the test runner. This risk is amplified in typical CI/CD setups where test artifacts are shared, runners are not fully isolated, and pull requests or supply‑chain mechanisms may introduce untrusted files.

The PHPUnit team released an official security advisory on January 27, detailing the flaw and providing patched versions for all maintained branches: 8.5.52, 9.6.33, 10.5.62, 11.5.50, and 12.5.8. All earlier releases in these branches are vulnerable, and users are urged to upgrade immediately.

Beyond updating the package, development teams should audit their CI/CD pipelines to ensure that unreviewed code or test artifacts cannot trigger automated tests, enforce strict file‑permission controls, and improve isolation of CI runners to reduce the persistence of malicious files.