Unsafe Reflection in Mongoid::Criteria.from_hash_CVE-2026-2302

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.

Basic Information

ID CVE-2026-2302

Source mongodb

Published Feb 10, 2026 at 18:59

Modified Feb 10, 2026 at 19:09

Affected Product

Vendor MongoDB Inc

Product MongoDB Ruby Driver

Version 7.0.0

Affected Versions MongoDB Inc MongoDB Ruby Driver 7.0.0
MongoDB Inc MongoDB Ruby Driver 8.0.0
MongoDB Inc MongoDB Ruby Driver 8.1.0
MongoDB Inc MongoDB Ruby Driver 9.0.0

References

jira.mongodb.org /browse/MONGOID-5919

{
    "lastseen": "",
    "description": "Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.",
    "published": "2026-02-10T18:59:23.760Z",
    "modified": "2026-02-10T19:09:44.196Z",
    "type": "cve",
    "title": "Unsafe Reflection in Mongoid::Criteria.from_hash",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/MONGOID-5919",
    "id": "CVE-2026-2302",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "MongoDB Inc MongoDB Ruby Driver 7.0.0\nMongoDB Inc MongoDB Ruby Driver 8.0.0\nMongoDB Inc MongoDB Ruby Driver 8.1.0\nMongoDB Inc MongoDB Ruby Driver 9.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Ruby Driver",
    "version": "7.0.0",
    "vendor": "MongoDB Inc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply