PT-2026-55935 · Swoosh · Swoosh
Jonatan Männchen
+2
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-54893
CVSS v4.0
2.1
Low
| Vector | AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
swoosh versions 1.12.0 through 1.26.2
Description
URL path injection exists in the Microsoft Graph adapter of Swoosh. The
Swoosh.Adapters.MsGraph component constructs the Microsoft Graph API request URL by interpolating the sender's email address into the path /users/{from}/sendMail without validation or percent-encoding. In applications where the from address is derived from untrusted or user-influenced input, an attacker can use URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment. This allows the attacker to rewrite the request path and query string, redirecting the authenticated POST request to other Graph endpoints within the token's scopes using the application's bearer token.Recommendations
Update to version 1.26.3 or later.
Validate or reject sender addresses containing characters outside the allowed RFC 5321 set, specifically
/, ?, #, and .., before passing the email to the adapter.
Set a static :url in the adapter configuration to bypass the interpolation of the from address into the request path.Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Swoosh