PT-2026-55935 · Swoosh · Swoosh

Jonatan Männchen

+2

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-54893

CVSS v4.0

2.1

Low

VectorAV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N
Name of the Vulnerable Software and Affected Versions swoosh versions 1.12.0 through 1.26.2
Description URL path injection exists in the Microsoft Graph adapter of Swoosh. The Swoosh.Adapters.MsGraph component constructs the Microsoft Graph API request URL by interpolating the sender's email address into the path /users/{from}/sendMail without validation or percent-encoding. In applications where the from address is derived from untrusted or user-influenced input, an attacker can use URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment. This allows the attacker to rewrite the request path and query string, redirecting the authenticated POST request to other Graph endpoints within the token's scopes using the application's bearer token.
Recommendations Update to version 1.26.3 or later. Validate or reject sender addresses containing characters outside the allowed RFC 5321 set, specifically /, ?, #, and .., before passing the email to the adapter. Set a static :url in the adapter configuration to bypass the interpolation of the from address into the request path.

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-54893
GHSA-754J-98WH-57RF

Affected Products

Swoosh