Cve-2026-53914

Hi,

It looks like this vulnerability present in KAPT, CVE-2026-53914, has been classed as 9.8 severity by NIST but has been classed as medium severity by jetbrains and it’s been scheduled for a September release: 2.4.20.

We’re trying to assess how concerned we need to be about this, on the surface it seems like something that would be difficult to exploit and I think that’s what the Jetbrains assessment reflects.

But there’s not a lot of information about it, it refers to an issue KT-86604 which doesn’t seem to exist in youtrack.

Does anyone have any more information about it which could help us assess the risk around it?

It seems that this CVE only applies if you’re using Gradle’s Build Cache (org.gradle.caching=true) and your environment setup the way, that untrusted actors can put cache entries in it. For public repos it would be bigger issue in first place that untrusted actors have write access to build cache store. Or incorrect CI setup (where Pull Request builds writing into your main build cache, which is also wrong on it’s own). So I agree on medium to low severity