Gradle Failure to Disable Repositories with Unknown Host Vulnerability (CVE-2026-22816)

From the screenshot, the following key information about the vulnerability can be obtained: Vulnerability Title: - Failure to disable repositories with unknown host can expose builds to malicious artifacts Severity: - High (Severity: High, CVSS: 8.6/10) Affected Scope: - Affected Versions: - = 9.3.0 CVSS v4 Base Metrics: - Attack Vector: Network - Attack Complexity: High - Attack Requirements: Present - Required Privileges: None - User Interaction: Passive System Vulnerability Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None Subsequent System Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None CVE ID: - CVE-2026-22816 Weaknesses: - CWE-494 - CWE-829 Key Points Summary: - This vulnerability exists when Gradle fails to properly disable repositories containing unknown hostnames, potentially exposing builds to malicious artifacts. - The issue was patched in versions 8.14.4 and 9.3.0. - During dependency resolution, if Gradle encounters a connection error, it should disable the repository and interrupt the dependency resolution process to ensure build reproducibility and security. - In previous Gradle versions, certain exceptions were not correctly identified as fatal errors, causing Gradle to continue resolving dependencies from different repositories, increasing security risks. - The risk posed by this vulnerability can be mitigated by implementing strict content filtering or dependency validation. If upgrading Gradle is not possible, configuring dependency validation to ensure only expected dependencies are resolved is recommended.

Goal Reached Thanks to every supporter — we hit 100%!

Gradle Failure to Disable Repositories with Unknown Host Vulnerability (CVE-2026-22816)

More from this source