CVE-2026-2302

MEDIUM 6.5

Unsafe Reflection in Mongoid::Criteria.from_hash

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.

Vendor	mongodb inc
Product	mongodb ruby driver
Published	Feb 10, 2026
Last Updated	Feb 27, 2026

Stay Ahead of the Next One

Get instant alerts for mongodb inc mongodb ruby driver

Be the first to know when new medium vulnerabilities affecting mongodb inc mongodb ruby driver are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

MongoDB Inc / MongoDB Ruby Driver

7.0.0 ≤ 7.6.1 8.0.0 ≤ 8.0.12 8.1.0 ≤ 8.1.12 9.0.0 ≤ 9.0.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

jira.mongodb.org: https://jira.mongodb.org/browse/MONGOID-5919