diff --git a/nixos/doc/manual/release-notes/rl-2003.xml b/nixos/doc/manual/release-notes/rl-2003.xml
index c0e7a00d757..1ea07679dab 100644
--- a/nixos/doc/manual/release-notes/rl-2003.xml
+++ b/nixos/doc/manual/release-notes/rl-2003.xml
@@ -163,6 +163,14 @@
      time during the releases development (if viable).
     </para>
    </listitem>
+   <listitem>
+    <para>
+      The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
+      <literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
+      If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
+      setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 
diff --git a/nixos/modules/services/web-servers/phpfpm/default.nix b/nixos/modules/services/web-servers/phpfpm/default.nix
index 095de64dfb1..7698f8c3a26 100644
--- a/nixos/modules/services/web-servers/phpfpm/default.nix
+++ b/nixos/modules/services/web-servers/phpfpm/default.nix
@@ -262,6 +262,7 @@ in {
         in {
           Slice = "phpfpm.slice";
           PrivateDevices = true;
+          PrivateTmp = true;
           ProtectSystem = "full";
           ProtectHome = true;
           # XXX: We need AF_NETLINK to make the sendmail SUID binary from postfix work