Cyber Resilience

CVE-2026-22865

High

Published: 16 January 2026

Published
16 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22865 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Gradle Gradle. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-12 (Supply Chain Protection) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-22865 affects Gradle, a build automation tool, specifically its dependency resolution process in versions prior to 9.3.0. The native-platform tool in Gradle provides Java bindings for native APIs, but the vulnerability stems from how Gradle handles certain exceptions during repository access. Exceptions such as NoHttpResponseException were not treated as fatal errors, preventing the disablement of the affected repository. Instead, Gradle would proceed to the next repository in the list after retries, potentially resolving dependencies from an alternative source.

An attacker can exploit this vulnerability by disrupting service on a targeted repository—such as through persistent transient errors like NoHttpResponseException—to force Gradle to fall back to a subsequent repository under the attacker's control. This enables the serving of malicious artifacts during dependency resolution. Exploitation requires network access with no privileges (AV:N/AC:H/PR:N) and can result in high confidentiality and integrity impacts (C:H/I:H/A:N), with a CVSS v3.1 base score of 7.4. The attack is linked to CWE-494 and CWE-829.

The Gradle security advisory at https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv details the mitigation: Gradle 9.3.0 introduces a behavioral change to treat these exceptions as fatal, halting further repository searches upon encountering them after maximum retries. Users should upgrade to Gradle 9.3.0 or later to prevent fallback to potentially compromised repositories.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled.…

more

If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
Why these techniques?

Vulnerability directly enables compromise of software dependencies by forcing fallback to attacker-controlled repository during Gradle resolution, matching T1195.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22816Same product: Gradle Gradle
CVE-2026-25063Same vendor: Gradle
CVE-2025-27510Shared CWE-829
CVE-2025-27607Shared CWE-829
CVE-2025-69263Shared CWE-494
CVE-2025-15612Shared CWE-829
CVE-2026-42575Shared CWE-494
CVE-2026-34841Shared CWE-494
CVE-2026-43569Shared CWE-829
CVE-2025-34212Shared CWE-494

Affected Assets

gradle
gradle
≤ 8.14.4 · 9.0.0 — 9.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection against supply-chain attacks that insert malicious artifacts into build dependencies by controlling external repositories.

prevent

Requires verification of software integrity before use, blocking resolution of untrusted or altered artifacts from fallback repositories.

prevent

Implements supply-chain controls and processes that restrict which repositories may be used during dependency resolution.

References