Description
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Published: 2026-01-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Untrusted Artifact Inclusion
Action: Patch Now
AI Analysis

Impact

Gradle versions prior to 9.3.0 did not treat certain dependency‑resolution exceptions as fatal, allowing the build process to continue to subsequent repositories. An unresolvable host name or a repository that throws an exception could be exploited by an attacker who registers a domain matching the build’s repository name to supply malicious artifacts. The victim build would then incorporate these artifacts, potentially leading to remote code execution or the introduction of compromised binaries into released products.

Affected Systems

The vulnerability affects Gradle Gradle, the Java build automation tool, in all releases prior to 9.3.0. Any project configuration that specifies one or more remote repositories and does not disable faulty repositories on error is susceptible.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity risk, but the EPSS score of less than 1% suggests that the probability of exploitation is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to know the build’s repository list and ensure their rogue host appears early in that list, so the exploit is feasible but requires targeted preparation. Damage can range from malicious code insertion to supply‑chain compromise depending on the artifact content.

Generated by OpenCVE AI on April 18, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gradle to version 9.3.0 or newer, which stops searching additional repositories upon encountering resolution errors.
  • Verify that repository ordering in your build scripts places trusted repositories earlier and removes or replaces any expired or potentially spoofable hostnames.
  • If upgrading immediately is not feasible, restrict network access to Gradle repositories or use an internal proxy to control artifact sources until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gradle
Gradle gradle
Vendors & Products Gradle
Gradle gradle

Fri, 16 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Title Gradle fails to disable repositories which can expose builds to malicious artifacts
Weaknesses CWE-494
CWE-829
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Gradle Gradle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T14:49:32.077Z

Reserved: 2026-01-09T22:50:10.289Z

Link: CVE-2026-22816

cve-icon Vulnrichment

Updated: 2026-01-20T14:49:24.534Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T23:15:50.127

Modified: 2026-02-18T16:17:00.120

Link: CVE-2026-22816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses