Description
Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.
Published: 2026-02-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Ruby code execution
Action: Immediate patch
AI Analysis

Impact

Mongoid::Criteria.from_hash can perform an unsafe reflection operation when a specially crafted Hash is processed, allowing injected code to be executed within the Ruby environment. The flaw enables an attacker to run arbitrary Ruby code on the host running the driver, potentially compromising confidentiality, integrity, and availability of the application and underlying systems.

Affected Systems

The vulnerability affects MongoDB Inc’s MongoDB Ruby Driver. No specific affected version range is supplied in the data, so any installation that uses the Criteria.from_hash method and has not applied a later patch may be exposed.

Risk and Exploitability

The CVSS base score of 6.9 categorizes the threat as moderate. The EPSS score of <1% indicates that current exploitation activity is very low, but the presence of the flaw in a widely used driver means it could still be leveraged in targeted attacks. The vulnerability is not listed in CISA’s KEV catalog, yet the ability to execute arbitrary Ruby code directly affects system security. Exploits would require an attacker to supply a malicious Hash object to the application – for example, via an API request or internal data ingestion – and the driver must be calling Criteria.from_hash during processing. If the application does not use this API or if input is tightly validated, the attack surface is mitigated.

Generated by OpenCVE AI on April 17, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MongoDB Ruby Driver to the latest release that contains the fix for this issue.
  • Validate or sanitize all incoming data so that only expected scalar values are accepted before they reach Criteria.from_hash; reject or reject Hash objects that are not part of legitimate queries.
  • If the Criteria.from_hash method is not essential for your application, replace it with safer query construction techniques or remove its use entirely.
  • Monitor application logs for unexpected Hash inputs or signs of code execution and investigate anomalies promptly.

Generated by OpenCVE AI on April 17, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-183

Tue, 10 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb ruby Driver
Vendors & Products Mongodb
Mongodb ruby Driver

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.
Title Unsafe Reflection in Mongoid::Criteria.from_hash
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Mongodb Ruby Driver
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-27T13:29:42.348Z

Reserved: 2026-02-10T18:55:25.485Z

Link: CVE-2026-2302

cve-icon Vulnrichment

Updated: 2026-02-10T19:09:41.345Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T19:16:04.677

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:30:15Z

Weaknesses