Vulnerabilities ›

CVE-2026-22865

High

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal

CWE-494 — Weakness Type

                    Published: Jan 16, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.4

🔗 NVD Official

📄 Description (English)

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

🤖 AI Executive Summary

Gradle versions before 9.3.0 fail to treat certain exceptions as fatal errors during dependency resolution, allowing attackers to disrupt legitimate repositories and inject malicious artifacts from alternative repositories. This supply chain attack vector poses significant risk to organizations using Gradle for build automation, particularly those with multiple configured repositories. The vulnerability requires attacker control over a downstream repository but could compromise entire software supply chains.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 4, 2026 23:02

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations in financial services (SAMA-regulated banks), government agencies (NCA oversight), and critical infrastructure (ARAMCO, SEC, telecom providers like STC) face significant supply chain compromise risk. Development teams using Gradle for Java/Kotlin projects could unknowingly integrate malicious dependencies into production systems. The impact extends to software vendors serving Saudi entities, potentially affecting downstream customers. Government digital transformation initiatives and fintech platforms are particularly vulnerable given their reliance on open-source build tools.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Sector Energy and Utilities Telecommunications Healthcare Software Development and IT Services Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1195 - Supply Chain Compromise T1195.001 - Compromise Software Dependencies and Development Tools T1195.003 - Compromise Hardware Supply Chain T1566.002 - Phishing: Spearphishing Link T1583.003 - Acquire Infrastructure: Virtual Private Server T1589.001 - Gather Victim Identity Information: Credentials

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

1. IMMEDIATE ACTIONS:

   - Audit all Gradle installations across development environments and CI/CD pipelines

   - Document all configured repositories in Gradle build files (build.gradle, settings.gradle)

   - Review dependency resolution logs for NoHttpResponseException or similar transient errors

   - Implement repository access controls and network segmentation



2. PATCHING GUIDANCE:

   - Upgrade Gradle to version 9.3.0 or later immediately

   - Update gradle-wrapper.properties in all projects to reference patched version

   - Rebuild all artifacts with patched Gradle version

   - Verify integrity of previously built artifacts against known-good checksums



3. COMPENSATING CONTROLS (if immediate patching not possible):

   - Restrict repository list to single trusted internal mirror/proxy

   - Implement repository pinning with explicit version constraints

   - Enable strict dependency verification using gradle-dependency-verify plugin

   - Monitor HTTP response codes and connection failures in build logs

   - Implement artifact signature verification for all dependencies



4. DETECTION RULES:

   - Alert on NoHttpResponseException or ConnectException in Gradle build logs

   - Monitor for repository fallback behavior (switching between configured repos)

   - Track changes to build.gradle repository configurations

   - Audit artifact downloads from non-primary repositories

   - Implement SBOM generation and comparison for build artifacts

🔧 خطوات المعالجة (العربية)

1. الإجراءات الفورية:

   - تدقيق جميع تثبيتات Gradle عبر بيئات التطوير وخطوط أنابيب CI/CD

   - توثيق جميع المستودعات المكونة في ملفات بناء Gradle (build.gradle و settings.gradle)

   - مراجعة سجلات حل التبعيات بحثاً عن NoHttpResponseException أو أخطاء عابرة مماثلة

   - تنفيذ عناصر تحكم الوصول إلى المستودع وتقسيم الشبكة



2. إرشادات التصحيح:

   - ترقية Gradle إلى الإصدار 9.3.0 أو أحدث على الفور

   - تحديث gradle-wrapper.properties في جميع المشاريع للإشارة إلى الإصدار المصحح

   - إعادة بناء جميع القطع الأثرية باستخدام إصدار Gradle المصحح

   - التحقق من سلامة القطع الأثرية المبنية مسبقاً مقابل المجاميع المعروفة الجيدة



3. الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

   - تقييد قائمة المستودع إلى مرآة/وكيل داخلي موثوق واحد

   - تنفيذ تثبيت المستودع مع قيود الإصدار الصريحة

   - تمكين التحقق الصارم من التبعيات باستخدام مكون gradle-dependency-verify

   - مراقبة رموز استجابة HTTP وأخطاء الاتصال في سجلات البناء

   - تنفيذ التحقق من توقيع القطع الأثرية لجميع التبعيات



4. قواعد الكشف:

   - تنبيه على NoHttpResponseException أو ConnectException في سجلات بناء Gradle

   - مراقبة سلوك الرجوع إلى المستودع (التبديل بين المستودعات المكونة)

   - تتبع التغييرات في تكوينات مستودع build.gradle

   - تدقيق تنزيلات القطع الأثرية من المستودعات غير الأساسية

   - تنفيذ إنشاء SBOM والمقارنة لقطع البناء

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Software development security controls ECC 2024 A.14.2.5 - Secure development environment ECC 2024 A.14.3.1 - Testing of security functionality ECC 2024 A.8.2.3 - Segregation of development, test and production environments

🔵 SAMA CSF

SAMA CSF ID.SC-4 - Supply chain risk management SAMA CSF PR.DS-6 - Data integrity and authenticity SAMA CSF DE.CM-1 - Detection processes and tools SAMA CSF RS.MI-2 - Incident response and recovery

🟡 ISO 27001:2022

ISO 27001:2022 A.8.2.3 - Segregation of development, test and production environments ISO 27001:2022 A.8.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Information security requirements analysis and specification ISO 27001:2022 A.14.3.1 - Secure development policy and procedures

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.3.2 - Security testing and assessment PCI DSS 8.2.1 - User identification and authentication

🔗 References & Sources 1

🔗

https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 2 entries

gradle:gradle

📊 CVSS Score

7.4

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityH — High

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.4

CWECWE-494

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-01-16

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-494

🏢 Vendor Advisories

🔗 https://github.com/gradle/gradle/security/advisories...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-22865

💬 Comments

Introduce Yourself

Sign In Required