diff --git a/tests/Unit/VolumeSecurityTest.php b/tests/Unit/VolumeSecurityTest.php
index 0196000a3..d7f20fc0e 100644
--- a/tests/Unit/VolumeSecurityTest.php
+++ b/tests/Unit/VolumeSecurityTest.php
@@ -174,3 +174,13 @@
             ->toThrow(Exception::class);
     }
 });
+
+test('parseDockerVolumeString rejects newline and tab in volume strings', function () {
+    // Newline can be used as command separator
+    expect(fn () => parseDockerVolumeString("/data\n:/app"))
+        ->toThrow(Exception::class);
+
+    // Tab can be used as token separator
+    expect(fn () => parseDockerVolumeString("/data\t:/app"))
+        ->toThrow(Exception::class);
+});