Description
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Published: 2026-01-16
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Malicious artifact injection via unchecked dependency resolution
Action: Upgrade
AI Analysis

Impact

In Gradle versions earlier than 9.3.0, dependency resolution failures did not disable the offending repository. The system would then proceed to the next repository in the list, potentially pulling artifacts from a malicious or compromised source. This flaw enables a threat actor who manages or can influence a repository to supply malicious build artifacts to downstream users, compromising the integrity of build outputs. The weakness is categorized as CWE-494 and CWE-829, indicating the use of untrusted content and parameter misuse.

Affected Systems

Gradle build automation tool, all versions before 9.3.0, affecting any projects that use native-platform dependency resolution.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6, underscoring a high risk to confidentiality and integrity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not currently listed in CISA’s KEV catalog. Exploitation requires the attacker to control a repository that is queried after a failed resolution attempt, thereby enabling the delivery of malicious artifacts; the attack vector is therefore indirect and requires repository-level compromise.

Generated by OpenCVE AI on April 18, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gradle 9.3.0 or newer to enforce repository disabling on errors
  • Restrict repository URLs to trusted sources and enforce strict access controls
  • Enable artifact integrity checks such as checksum or signature verification during dependency resolution

Generated by OpenCVE AI on April 18, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Gradle
Gradle gradle
Vendors & Products Gradle
Gradle gradle

Fri, 16 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Title Gradle's failure to disable repositories failing to answer can expose builds to malicious artifacts
Weaknesses CWE-494
CWE-829
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Gradle Gradle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T14:47:41.205Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22865

cve-icon Vulnrichment

Updated: 2026-01-20T14:47:34.289Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T23:15:50.280

Modified: 2026-02-18T16:16:01.930

Link: CVE-2026-22865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses