Product Name: Gradle Build Tool
Vendor / Maintainer: Gradle, Inc.
Component Affected: Dependency Resolution & Repository Handling
Environment Impacted: CI/CD pipelines, developer workstations, enterprise build systems
Attack Surface: Build-time dependency fetching from remote repositories
Risk Level: High (Supply-chain compromise potential)

Gradle is a widely used build automation tool in Java, Kotlin, and JVM-based ecosystems. These vulnerabilities target how Gradle resolves dependencies and repositories, allowing attackers to silently inject malicious artifacts into the build process. Because builds are usually trusted, exploitation can lead to code execution, credential theft, and backdoored software releases without immediate detection.

CVE Summary Table

CVE Name	CVE ID	CVSS Score	Severity	Exploitability	Exploit Availability
Gradle Dependency Resolution Fallback Injection	CVE-2026-22865	8.8	High	Network	No public PoC (concept feasible)
Gradle Repository Hostname Resolution Hijack	CVE-2026-22816	9.1	Critical	Network	No public PoC (attack confirmed viable)

CVE-2026-22865

Gradle Dependency Resolution Fallback Allows Malicious Artifact Injection

Overview

This vulnerability exists in Gradle’s dependency resolution fallback mechanism. When Gradle fails to fetch a dependency from a primary repository, it may automatically fall back to secondary repositories without strict validation. An attacker who controls or intercepts one of these fallback sources can serve a malicious artifact with the same group, name, and version as the expected dependency.

The build completes successfully, but the compiled application now includes attacker-controlled code.

How This Could Be Exploited

A project declares a dependency (for example: com.example:auth-lib:2.1.0)
The primary repository is temporarily unreachable (network issue, DNS issue, timeout)
Gradle silently falls back to another configured or inherited repository
The attacker hosts a fake but valid-looking artifact with the same coordinates
Gradle downloads and trusts it
Malicious code executes during build or runtime

This is especially dangerous in CI/CD pipelines, where builds run automatically and artifacts are published downstream.

Technical Impact

Remote Code Execution (during build or runtime)
Supply-chain compromise
Persistent backdoors in released software
Credential exfiltration from CI environments
Lateral movement inside build infrastructure

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name
Initial Access	T1195	Supply Chain Compromise
Execution	T1059	Command and Scripting Interpreter
Persistence	T1554	Compromise Client Software Binary
Defense Evasion	T1036	Masquerading

Detection & Indicators of Compromise

What to Look For

Unexpected artifact downloads from unknown repositories
Build logs showing fallback repository usage
Hash mismatches between expected and downloaded dependencies
Dependencies resolving faster than expected from unfamiliar hosts

Suspicious Payload Behavior

Gradle plugins executing shell commands
Obfuscated Java/Kotlin bytecode inside dependencies
Network calls during build phase
Environment variable harvesting in CI jobs

Detection Rules

Build Log Monitoring

IF build_log CONTAINS "Falling back to repository"
AND repository_url NOT IN approved_repository_list
THEN alert "Suspicious Gradle Dependency Fallback"

Artifact Integrity Check

IF dependency_hash != known_good_hash
THEN block build and notify security

Log Sources to Monitor

Gradle build logs
CI/CD pipeline execution logs
Artifact repository access logs
Network egress logs from build agents

Mitigation & Patch Guidance

Official Patch

Upgrade to the latest Gradle version where fallback behavior is hardened
Official patch available via Gradle release updates

Security Hardening

Disable automatic repository fallback
Enforce dependency verification with checksums
Use dependencyVerification {} in Gradle
Restrict repositories to allow-listed domains only
Mirror dependencies internally

CVE-2026-22816

Gradle Repository Hostname Resolution Flaw Enables Attacker-Controlled Dependency Sources

Overview

This vulnerability affects how Gradle resolves repository hostnames. Under certain configurations, Gradle does not sufficiently validate DNS resolution results. An attacker capable of DNS manipulation (spoofing, poisoning, or malicious proxying) can redirect Gradle to an attacker-controlled repository, even when a legitimate repository is configured.

The result is transparent dependency hijacking without any changes to build scripts.

How This Could Be Exploited

Gradle attempts to resolve a trusted repository hostname
DNS resolution is intercepted or poisoned
Gradle connects to an attacker-controlled server
Malicious dependencies are served over HTTPS with valid-looking metadata
Build succeeds and publishes compromised artifacts

This attack is highly effective in:

Shared corporate networks
Misconfigured DNS environments
Cloud CI runners using default DNS resolvers

Technical Impact

Full dependency source takeover
Stealthy malware injection
Compromise of signed and released software
Long-term persistence via poisoned dependencies

MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name
Initial Access	T1195	Supply Chain Compromise
Credential Access	T1552	Unsecured Credentials
Command and Control	T1071	Application Layer Protocol
Defense Evasion	T1565	Data Manipulation

Detection & Indicators of Compromise

Warning Signs

Repository IP address changes without configuration updates
TLS certificates that do not match known repository fingerprints
Sudden appearance of new transitive dependencies
Gradle builds succeeding during repository outages

Potential Payload Actions

Injecting backdoored authentication libraries
Dropping malicious Gradle plugins
Executing post-build callbacks
Exfiltrating secrets from ~/.gradle/

Detection Rules

DNS Integrity Monitoring

IF repository_domain RESOLVES_TO unknown_ip
AND ip NOT IN expected_repository_ip_range
THEN alert "Possible Gradle Repository Hijack"

TLS Validation Rule

IF repository_certificate_fingerprint CHANGES
THEN fail build and raise security alert

Log Sources to Monitor

DNS resolver logs
Gradle dependency resolution logs
Network traffic logs from build systems
Certificate transparency / TLS inspection logs

Mitigation & Patch Guidance

Official Patch

Upgrade to the latest Gradle release with improved hostname validation
Patch distributed via official Gradle update channels only

Security Best Practices

Pin repository IP ranges where possible
Use internal artifact proxies (Nexus, Artifactory)
Enable strict HTTPS certificate validation
Run builds in isolated networks
Enforce dependency locking

Final Takeaway

Both vulnerabilities represent serious supply-chain risks. Exploitation does not require access to source code and can occur silently during normal build operations. Organizations relying on Gradle for production builds should treat these CVEs as urgent, especially in automated CI/CD environments.

Immediate action: Patch, restrict repositories, verify dependencies, and monitor build behavior continuously.

High-Risk Supply Chain Exposure: Gradle Dependency Resolution Flaws Put CI/CD Pipelines at Risk

CVE Summary Table

CVE-2026-22865

Gradle Dependency Resolution Fallback Allows Malicious Artifact Injection

Overview

How This Could Be Exploited

Technical Impact

MITRE ATT&CK Mapping

Detection & Indicators of Compromise

Detection Rules

Log Sources to Monitor

Mitigation & Patch Guidance

CVE-2026-22816

Gradle Repository Hostname Resolution Flaw Enables Attacker-Controlled Dependency Sources

Overview

How This Could Be Exploited

Technical Impact

MITRE ATT&CK Mapping

Detection & Indicators of Compromise

Detection Rules

Log Sources to Monitor

Mitigation & Patch Guidance

Final Takeaway

Aegiron