Email-derived URL path injection in the Swoosh Microsoft Graph adapter

Summary

CVECVE-2026-54893
StatePUBLISHED
AssignerEEF
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-06 15:16:39 UTC
Updated2026-07-06 19:37:48 UTC
DescriptionURL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation. In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected. This issue affects swoosh from 1.12.0 before 1.26.3.

Risk And Classification

Primary CVSS: v4.0 2.1 LOW from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-116 | CWE-116 CWE-116 Improper Encoding or Escaping of Output


VersionSourceTypeScoreSeverityVector
4.06b3ad84c-e1a6-4bf7-a703-f496b71e49dbSecondary2.1LOWCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/C...
4.0CNACVSS2.1LOWCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

CVSS v4.0 Breakdown

Attack Vector
Local
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
Low
Availability
None
Sub Conf.
Low
Sub Integrity
Low
Sub Availability
None

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA Swoosh Swoosh affected 1.12.0 1.26.3 semver Not specified
CNA Swoosh Swoosh affected 23bfcdab71aee4613858ba6d116bb3311b72aa58 e38235453e81d1727bfc8d91e69ec4cb211ccf61 git Not specified

References

ReferenceSourceLinkTags
github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
osv.dev/vulnerability/EEF-CVE-2026-54893 6b3ad84c-e1a6-4bf7-a703-f496b71e49db osv.dev
cna.erlef.org/cves/CVE-2026-54893.html 6b3ad84c-e1a6-4bf7-a703-f496b71e49db cna.erlef.org
github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Peter Ullrich (en)

CNA: Po Chen (en)

CNA: Jonatan Männchen (en)

Additional Advisory Data

Workarounds

CNA: Validate or reject sender addresses that contain characters outside the allowed RFC 5321 set (in particular /, ?, #, and ..) before passing the email to the adapter. Alternatively, set a static :url in the adapter configuration, which bypasses interpolation of the from address into the request path.

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report