CVE-2026-54893 PUBLISHED

Email-derived URL path injection in the Swoosh Microsoft Graph adapter

Assigner: EEF
Reserved: 16.06.2026 Published: 06.07.2026 Updated: 06.07.2026

URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.

In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected.

This issue affects swoosh from 1.12.0 before 1.26.3.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 2.1

Product Status

Vendor swoosh
Product swoosh
Versions Default: unaffected
  • affected from 1.12.0 to 1.26.3 (excl.)
Vendor swoosh
Product swoosh
Versions Default: unaffected
  • affected from 23bfcdab71aee4613858ba6d116bb3311b72aa58 to e38235453e81d1727bfc8d91e69ec4cb211ccf61 (excl.)

Affected Configurations

This vulnerability only affects applications that use Swoosh.Adapters.MsGraph and derive the email "from" address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature). Applications that always send with a fixed, trusted "from" address are not affected.

Workarounds

Validate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular /, ?, #, and ..) before passing the email to the adapter. Alternatively, set a static :url in the adapter configuration, which bypasses interpolation of the from address into the request path.

Credits

  • Peter Ullrich finder
  • Po Chen remediation developer
  • Jonatan Männchen analyst

References

Problem Types

  • CWE-116 Improper Encoding or Escaping of Output CWE

Impacts

  • CAPEC-664 Server Side Request Forgery