CVE-2026-22816

HIGH EPSS 4.5%
Published Jan 16, 20265mo ago · Modified Jun 17, 20262w ago
8.6 CVSS 4.0
High
Find Similar
Published Jan 16, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

CVSS Details

Base Score
8.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
4.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-494
CWE-829

Affected Products 2

VendorProductVersionRange
gradlegradle* <8.14.4
gradlegradle*≥9.0.0  –  <9.3.0

References 2

  • github.com https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a
    Patch
  • github.com https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82
    Vendor Advisory

Remediation

  • github.com https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a
    Patch