CVE-2026-22865
Published: 16 January 2026
Summary
CVE-2026-22865 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Gradle Gradle. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.
Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.
Supply chain protection requires integrity verification of acquired components, directly reducing insertion or tampering of malicious code during delivery.
Limits inclusion of functionality from untrusted sources through supply-chain and component trustworthiness evaluation before integration.
Component authenticity requires verifying origin/integrity of acquired firmware or software, directly preventing inclusion of code without integrity checks.
Allocation of supply-chain risk management responsibilities and vetting of the development/operational environment reduce inclusion of functionality from untrusted control spheres.
Authorizing and controlling mobile code requires verifying origin and integrity before download/execution, directly preventing this weakness.
Proactive network scanning for malicious code directly detects and blocks downloads that lack integrity verification.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables compromise of software dependencies by forcing fallback to attacker-controlled repository during Gradle resolution, matching T1195.001.
NVD Description
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled.…
more
If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Deeper analysisAI
CVE-2026-22865 affects Gradle, a build automation tool, specifically its dependency resolution process in versions prior to 9.3.0. The native-platform tool in Gradle provides Java bindings for native APIs, but the vulnerability stems from how Gradle handles certain exceptions during repository access. Exceptions such as NoHttpResponseException were not treated as fatal errors, preventing the disablement of the affected repository. Instead, Gradle would proceed to the next repository in the list after retries, potentially resolving dependencies from an alternative source.
An attacker can exploit this vulnerability by disrupting service on a targeted repository—such as through persistent transient errors like NoHttpResponseException—to force Gradle to fall back to a subsequent repository under the attacker's control. This enables the serving of malicious artifacts during dependency resolution. Exploitation requires network access with no privileges (AV:N/AC:H/PR:N) and can result in high confidentiality and integrity impacts (C:H/I:H/A:N), with a CVSS v3.1 base score of 7.4. The attack is linked to CWE-494 and CWE-829.
The Gradle security advisory at https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv details the mitigation: Gradle 9.3.0 introduces a behavioral change to treat these exceptions as fatal, halting further repository searches upon encountering them after maximum retries. Users should upgrade to Gradle 9.3.0 or later to prevent fallback to potentially compromised repositories.
Details
- CWE(s)