I have Ruby 2.7.2 installed using rbenv, but when I run the following code:
require 'webrick'
WEBrick::VERSION
=> "1.6.0"
WEBrick::HTTPUtils.method(:mime_type).source_location
=> ["/Users/my_user/.rbenv/versions/2.7.2/lib/ruby/2.7.0/webrick/httputils.rb", 133]
I have the webrick version 1.6, which has a security issue which was patched in ruby 2.7.2.
This also happens in our dev/prod environments were we use a docker image with ruby 2.7.2, so, I don't think is an rbenv issue.
What I want to know is, why my ruby interpreter is using libraries from version 2.7.0?
The versioned directory within the lib directory, i.e. 2.6.0 in your example does not denote the exact Ruby the library files belong to but instead the "library compatible version".
In the old times, when even minor versions were widely different, you had directories such as 1.8.6, or 1.8.7 there because those Ruby versions were rather different from each other. Their patch releases however were compatible enough that installed gems should be compatible within that version range.
With the Ruby 1.9.x releases, this was a mixed bag. Ruby 1.9.0 and 1.9.1 each had their respective versioned directories. Ruby 1.9.2 and 1.9.3 claimed to be library compatible withy Ruby 1.9.1 and thus continued to use the 1.9.1 directory. This was explained in a FAQ within the release announcement of Ruby 1.9.2
With Ruby 2.x, this scheme was further refined. Unless there are strict breaking changes (of which there were non yet), All minor releases use the library version of its first point release. All Ruby 2.1.x versions thus use 2.1.0, all Ruby 2.7.x versions use 2.7.0 and so on.
As such, while you definitely should not mix the standard libraries of multiple ruby versions, the library version number in the lib directories stays the same over different point releases. This allows for example to retain installed gems for a certain minor release when updating the Ruby version.
The version of your webrick library is thus the one you want to have. In the Ruby release, the Ruby team has just backported the fix for the webrick library rather than bumping the whole library.