{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2302", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2026-02-10T18:55:25.485Z", "datePublished": "2026-02-10T18:59:23.760Z", "dateUpdated": "2026-02-27T13:29:42.348Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Ruby Driver", "vendor": "MongoDB Inc", "versions": [{"lessThanOrEqual": "7.6.1", "status": "affected", "version": "7.0.0", "versionType": "semver"}, {"lessThanOrEqual": "8.0.12", "status": "affected", "version": "8.0.0", "versionType": "semver"}, {"lessThanOrEqual": "8.1.12", "status": "affected", "version": "8.1.0", "versionType": "semver"}, {"lessThanOrEqual": "9.0.10", "status": "affected", "version": "9.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.<br>"}], "value": "Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "183", "lang": "en"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-02-10T18:59:23.760Z"}, "references": [{"url": "https://jira.mongodb.org/browse/MONGOID-5919"}], "source": {"discovery": "UNKNOWN"}, "title": "Unsafe Reflection in Mongoid::Criteria.from_hash", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-183", "lang": "en", "description": "CWE-183 Permissive List of Allowed Inputs"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T19:09:37.837399Z", "id": "CVE-2026-2302", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T13:29:42.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2302", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T19:09:37.837399Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-183", "description": "CWE-183 Permissive List of Allowed Inputs"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T19:09:41.345Z"}}], "cna": {"title": "Unsafe Reflection in Mongoid::Criteria.from_hash", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB Ruby Driver", "versions": [{"status": "affected", "version": "7.0.0", "versionType": "semver", "lessThanOrEqual": "7.6.1"}, {"status": "affected", "version": "8.0.0", "versionType": "semver", "lessThanOrEqual": "8.0.12"}, {"status": "affected", "version": "8.1.0", "versionType": "semver", "lessThanOrEqual": "8.1.12"}, {"status": "affected", "version": "9.0.0", "versionType": "semver", "lessThanOrEqual": "9.0.10"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jira.mongodb.org/browse/MONGOID-5919"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.", "supportingMedia": [{"type": "text/html", "value": "Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "183"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-02-10T18:59:23.760Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2302", "state": "PUBLISHED", "dateUpdated": "2026-02-27T13:29:42.348Z", "dateReserved": "2026-02-10T18:55:25.485Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2026-02-10T18:59:23.760Z", "assignerShortName": "mongodb"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Under specific conditions when processing a maliciously crafted value of type Hash r, Mongoid::Criteria.from_hash may allow for executing arbitrary Ruby code."}, {"lang": "es", "value": "Bajo condiciones espec\u00edficas, al procesar un valor manipulado maliciosamente de tipo Hash r, Mongoid::Criteria.from_hash puede permitir la ejecuci\u00f3n de c\u00f3digo Ruby arbitrario."}], "id": "CVE-2026-2302", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2026-02-10T19:16:04.677", "references": [{"source": "cna@mongodb.com", "url": "https://jira.mongodb.org/browse/MONGOID-5919"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-183"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0,7.6.1]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.12]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,8.1.12]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.0.10]"}}], "product": "ruby_driver", "vendor": "mongodb"}], "analysis": {"en": {"generated_at": "2026-04-17T20:28:41.059825+00:00", "value": {"mitigation_remediation": ["Upgrade the MongoDB Ruby Driver to the latest release that contains the fix for this issue.", "Validate or sanitize all incoming data so that only expected scalar values are accepted before they reach Criteria.from_hash; reject or reject Hash objects that are not part of legitimate queries.", "If the Criteria.from_hash method is not essential for your application, replace it with safer query construction techniques or remove its use entirely.", "Monitor application logs for unexpected Hash inputs or signs of code execution and investigate anomalies promptly."], "summary": {"action": "Immediate patch", "impact": "Arbitrary Ruby code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MongoDB Inc\u2019s MongoDB Ruby Driver. No specific affected version range is supplied in the data, so any installation that uses the Criteria.from_hash method and has not applied a later patch may be exposed.\n", "description_and_impact": "Mongoid::Criteria.from_hash can perform an unsafe reflection operation when a specially crafted Hash is processed, allowing injected code to be executed within the Ruby environment. The flaw enables an attacker to run arbitrary Ruby code on the host running the driver, potentially compromising confidentiality, integrity, and availability of the application and underlying systems.", "risk_and_exploitability": "The CVSS base score of 6.9 categorizes the threat as moderate. The EPSS score of <1% indicates that current exploitation activity is very low, but the presence of the flaw in a widely used driver means it could still be leveraged in targeted attacks. The vulnerability is not listed in CISA\u2019s KEV catalog, yet the ability to execute arbitrary Ruby code directly affects system security. Exploits would require an attacker to supply a malicious Hash object to the application \u2013 for example, via an API request or internal data ingestion \u2013 and the driver must be calling Criteria.from_hash during processing. If the application does not use this API or if input is tightly validated, the attack surface is mitigated.\n"}}}}, "created": "2026-02-10T21:33:19.967183+00:00", "updated": "2026-04-17T20:30:15.817642+00:00", "vendors": ["mongodb", "mongodb$PRODUCT$ruby_driver"]}