RubySec

Providing security resources for the Ruby community

CVE-2026-2302 (mongoid): Mongoid::Criteria.from_hash method allows arbitrary method calls

Mongoid::Criteria.from_hash method allows arbitrary method calls

Published: February 27, 2026

SECURITY IDENTIFIERS

GEM

mongoid

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

~> 7.6.1 ~> 8.0.12 ~> 8.1.12 >= 9.0.10

DESCRIPTION

Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.

RELATED