CVE-2026-22865
📋 TL;DR
This vulnerability in Gradle's dependency resolution could allow an attacker to disrupt a legitimate repository and force builds to use a malicious repository they control. It affects Gradle users with multiple repositories configured who haven't updated to version 9.3.0 or later. The attack requires the attacker to control a repository that appears after the disrupted one in the repository list.
💻 Affected Systems
- Gradle
📦 What is this software?
Gradle by Gradle
Gradle by Gradle
⚠️ Risk & Real-World Impact
Worst Case
Attackers could serve malicious dependencies that execute arbitrary code during builds, potentially leading to supply chain compromise and backdoor installation.
Likely Case
Attackers could serve tampered dependencies that introduce vulnerabilities, backdoors, or malware into built artifacts.
If Mitigated
With proper repository controls and monitoring, impact would be limited to build failures rather than malicious dependency injection.
🎯 Exploit Status
Requires attacker to control a repository and disrupt another repository that appears earlier in the resolution order.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.3.0 and later
Vendor Advisory: https://github.com/gradle/gradle/security/advisories/GHSA-mqwm-5m85-gmcv
Restart Required: No
Instructions:
1. Update Gradle wrapper to version 9.3.0 or later. 2. Run './gradlew wrapper --gradle-version=9.3.0' or higher. 3. Verify the update by checking gradle/wrapper/gradle-wrapper.properties.
🔧 Temporary Workarounds
Repository order hardening
allReorder repositories to place trusted repositories first and untrusted repositories last
Modify settings.gradle or build.gradle to reorder repositories
Disable repository fallback
allConfigure Gradle to fail fast on repository errors instead of continuing
Add 'failOnRepositoryErrors = true' to repository configuration
🧯 If You Can't Patch
- Implement strict repository controls and only use trusted repositories
- Monitor build logs for repository switching behavior and investigate any anomalies
🔍 How to Verify
Check if Vulnerable:
Check Gradle version with './gradlew --version' or 'gradle --version' and verify it's below 9.3.0Check Version:
./gradlew --version | grep GradleVerify Fix Applied:
Confirm Gradle version is 9.3.0 or higher and test builds with simulated repository failures📡 Detection & Monitoring
Log Indicators:
- Multiple repository connection errors in build logs
- Builds switching between different repositories unexpectedly
Network Indicators:
- Unusual connections to untrusted repositories during builds
- Multiple failed connections to a repository followed by successful connections to another
SIEM Query:
source="gradle-build.log" AND ("NoHttpResponseException" OR "repository failed" OR "falling back to")