Mongoid::Criteria.from_hash method allows arbitrary method calls
Published: February 27, 2026
SECURITY IDENTIFIERS
- CVE: CVE-2026-2302 (NVD)
- GHSA: GHSA-68xj-h57p-gg5j
GEM
SEVERITY
CVSS v3.x: 6.5 (Medium)
PATCHED VERSIONS
~> 7.6.1
~> 8.0.12
~> 8.1.12
>= 9.0.10
DESCRIPTION
Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.
RELATED
- https://nvd.nist.gov/vuln/detail/CVE-2026-2302
- https://github.com/mongodb/mongoid/releases/tag/v9.0.10
- https://github.com/mongodb/mongoid/pull/6099
- https://rubygems.org/gems/mongoid/versions/8.1.12 - https://github.com/mongodb/mongoid/releases/tag/v8.1.12 - https://github.com/mongodb/mongoid/pull/6100
- https://rubygems.org/gems/mongoid/versions/8.0.12 - https://github.com/mongodb/mongoid/releases/tag/v8.0.12 - https://github.com/mongodb/mongoid/pull/6101
- https://rubygems.org/gems/mongoid/versions/7.6.1 - https://github.com/mongodb/mongoid/releases/tag/v7.6.1 - https://github.com/mongodb/mongoid/pull/6102
- https://github.com/mongodb/mongoid/pull/6087
- https://github.com/mongodb/mongoid/pull/6086
- https://github.com/mongodb/mongoid/pull/6085
- https://github.com/mongodb/mongoid/pull/6084
- https://github.com/mongodb/mongoid/pull/6083
- https://jira.mongodb.org/browse/MONGOID-5919
- https://github.com/advisories/GHSA-68xj-h57p-gg5j
