diff --git a/java/ql/test/query-tests/security/CWE-078/ExecRelative.expected b/java/ql/test/query-tests/security/CWE-078/ExecRelative.expected
index 066a36c66c8..be2194d5046 100644
--- a/java/ql/test/query-tests/security/CWE-078/ExecRelative.expected
+++ b/java/ql/test/query-tests/security/CWE-078/ExecRelative.expected
@@ -1 +1,2 @@
+| TaintedEnvironment.java:28:35:28:55 | new String[] | Command with a relative path 'ls' is executed. |
 | Test.java:50:46:50:49 | "ls" | Command with a relative path 'ls' is executed. |
diff --git a/java/ql/test/query-tests/security/CWE-078/ExecTaintedEnvironment.expected b/java/ql/test/query-tests/security/CWE-078/ExecTaintedEnvironment.expected
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/java/ql/test/query-tests/security/CWE-078/ExecTaintedEnvironment.ql b/java/ql/test/query-tests/security/CWE-078/ExecTaintedEnvironment.ql
new file mode 100644
index 00000000000..cdce227670a
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-078/ExecTaintedEnvironment.ql
@@ -0,0 +1,12 @@
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.TaintedEnvironmentVariableQuery
+import TestUtilities.InlineFlowTest
+
+private class TestSource extends RemoteFlowSource {
+  TestSource() { this.asExpr().(MethodCall).getMethod().hasName("source") }
+
+  override string getSourceType() { result = "test source" }
+}
+
+import TaintFlowTest<ExecTaintedEnvironmentConfig>
diff --git a/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java b/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java
new file mode 100644
index 00000000000..b7b1cc05f83
--- /dev/null
+++ b/java/ql/test/query-tests/security/CWE-078/TaintedEnvironment.java
@@ -0,0 +1,30 @@
+import java.lang.ProcessBuilder;
+import java.lang.Runtime;
+import java.util.Map;
+
+public class TaintedEnvironment {
+    public Object source() {
+        return null;
+    }
+
+    public void buildProcess() throws java.io.IOException {
+        String s = (String) source();
+        ProcessBuilder pb = new ProcessBuilder();
+
+        pb.environment().put("foo", s); // $hasTaintFlow
+
+        pb.environment().put(s, "foo"); // $hasTaintFlow
+
+        Map<String, String> env = pb.environment();
+
+        env.put("foo", s); // $hasTaintFlow
+
+        pb.start();
+    }
+
+    public void exec() throws java.io.IOException {
+        String kv = (String) source();
+
+        Runtime.getRuntime().exec(new String[] { "ls" }, new String[] { kv }); // $hasTaintFlow
+    }
+}