CVE-2026-22865

Name of the Vulnerable Software and Affected Versions Gradle versions prior to 9.3.0

Description Gradle, a build automation tool, has an issue where dependency resolution in versions before 9.3.0 does not treat certain exceptions as fatal errors. This allows Gradle to continue to subsequent repositories if an error occurs, potentially resolving dependencies from a malicious source after a legitimate repository is disrupted. Specifically, exceptions like NoHttpResponseException are not immediately fatal, and Gradle proceeds to the next repository after retries. This behavior could allow an attacker controlling a repository to serve malicious artifacts if a primary repository is unavailable. The issue is resolved by stopping the search for other repositories when encountering these errors.

Recommendations Update to Gradle version 9.3.0 or later.