CVE-2026-22816
CVE-2026-22816 is a high-severity vulnerability in Gradle with a CVSS 3.x base score of 7.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-494.
Key facts
- Severity: High (CVSS 3.x base score 7.4)
- CVSS v4: 8.6
- EPSS exploit prediction: 0% (5th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-3593
- Weakness: CWE-494
- Affected product: Gradle
- Published:
- Last modified:
Description
Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
Frequently asked questions
- What is CVE-2026-22816?
- Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. If a Gradle build used an unresolvable host name, Gradle would continue to work as long as all dependencies could be resolved from another repository. An unresolvable host name could be caused by allowing a repository's domain name registration to lapse or typo-ing the real domain name. This behavior could allow an attacker to register a service under the host name used by the build and serve malicious artifacts. The attack requires the repository to be listed before others in the build configuration. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.
- How severe is CVE-2026-22816?
- CVE-2026-22816 has a CVSS 3.x base score of 7.4, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-22816 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (5th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-22816?
- CVE-2026-22816 affects Gradle. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-22816?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-22816 have an EU (EUVD) identifier?
- Yes. CVE-2026-22816 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-3593.
- When was CVE-2026-22816 published?
- CVE-2026-22816 was published on 2026-01-16 and last updated on 2026-06-17.
References
- https://github.com/gradle/gradle/commit/e5707d0d8fce3d768c9c489004700d78eab1773a
- https://github.com/gradle/gradle/security/advisories/GHSA-w78c-w6vf-rw82
Affected products (1)
- cpe:2.3:a:gradle:gradle:*:*:*:*:*:*:*:*
More vulnerabilities in Gradle
- CVE-2019-15052 — Critical (CVSS 9.8): The HTTP client in Gradle before 5.6 sends authentication credentials originally destined for the configured host. If…
- CVE-2016-6199 — Critical (CVSS 9.8): ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized…
- CVE-2021-29428 — High (CVSS 8.8): In Gradle before version 7.0, on Unix-like systems, the system temporary directory can be created with open permissions…
- CVE-2021-41588 — High (CVSS 8.1): In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects.…
- CVE-2021-29427 — High (CVSS 8.0): In Gradle from version 5.1 and before version 7.0 there is a vulnerability which can lead to information disclosure…
- CVE-2022-23630 — High (CVSS 7.5): Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases,…
Other CWE-494 vulnerabilities
- CVE-2020-1595 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren't properly protected from…
- CVE-2020-1210 — Critical (CVSS 9.9): <p>A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source…
- CVE-2026-42248 — Critical (CVSS 9.8): Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. Unlike…
- CVE-2026-34841 — Critical (CVSS 9.8): Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack…
- CVE-2026-3000 — Critical (CVSS 9.8): IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated…
- CVE-2026-2999 — Critical (CVSS 9.8): IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated…