CVE-2026-22865
Published: 16 January 2026
Summary
CVE-2026-22865 is a high-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Gradle Gradle. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-12 (Supply Chain Protection) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2026-22865 affects Gradle, a build automation tool, specifically its dependency resolution process in versions prior to 9.3.0. The native-platform tool in Gradle provides Java bindings for native APIs, but the vulnerability stems from how Gradle handles certain exceptions during repository access. Exceptions such as NoHttpResponseException were not treated as fatal errors, preventing the disablement of the affected repository. Instead, Gradle would proceed to the next repository in the list after retries, potentially resolving dependencies from an alternative source.
An attacker can exploit this vulnerability by disrupting service on a targeted repository—such as through persistent transient errors like NoHttpResponseException—to force Gradle to fall back to a subsequent repository under the attacker's control. This enables the serving of malicious artifacts during dependency resolution. Exploitation requires network access with no privileges (AV:N/AC:H/PR:N) and can result in high confidentiality and integrity impacts (C:H/I:H/A:N), with a CVSS v3.1 base score of 7.4. The attack is linked to CWE-494 and CWE-829.
The Gradle security advisory at https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv details the mitigation: Gradle 9.3.0 introduces a behavioral change to treat these exceptions as fatal, halting further repository searches upon encountering them after maximum retries. Users should upgrade to Gradle 9.3.0 or later to prevent fallback to potentially compromised repositories.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3594
Vulnerability details
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled.…
more
If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables compromise of software dependencies by forcing fallback to attacker-controlled repository during Gradle resolution, matching T1195.001.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires protection against supply-chain attacks that insert malicious artifacts into build dependencies by controlling external repositories.
Requires verification of software integrity before use, blocking resolution of untrusted or altered artifacts from fallback repositories.
Implements supply-chain controls and processes that restrict which repositories may be used during dependency resolution.