CVE-2026-54893
Received Received - Intake

URL Path Injection in Swoosh MsGraph Adapter

Vulnerability report for CVE-2026-54893, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: EEF

Description

URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation. In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or # in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected. This issue affects swoosh from 1.12.0 before 1.26.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54893 is a vulnerability in the Swoosh Microsoft Graph adapter where the sender's email address is directly inserted into the Microsoft Graph API request URL path without proper percent-encoding or validation.

Because of this, attackers can inject URL-special characters such as /, ?, or # into the local part of the email address. This allows them to escape the intended URL path segment and manipulate the request path and query string.

Since the request is authenticated with the application's Microsoft Graph bearer token, attackers can redirect the request to other Graph API endpoints within the token's scopes, effectively controlling the request's destination and parameters.

This vulnerability affects Swoosh versions from 1.12.0 up to but not including 1.26.3, and only impacts applications that derive the sender address from untrusted or user-influenced input.

Impact Analysis

This vulnerability can allow an attacker to perform constrained server-side request forgery (SSRF) by redirecting authenticated Microsoft Graph API requests to unintended endpoints within the token's scopes.

If your application uses untrusted input to set the sender's email address, an attacker could manipulate the request path and query string, potentially causing unauthorized actions or data exposure within the permissions granted by the token.

Applications that always use a fixed, trusted sender address are not affected by this issue.

Detection Guidance

Detection of this vulnerability involves identifying if the application uses the Swoosh Microsoft Graph adapter with versions from 1.12.0 up to but not including 1.26.3, and if it interpolates the sender's email address into the Microsoft Graph API request URL without proper percent-encoding or validation.

Specifically, you can monitor outgoing Microsoft Graph API requests to see if the URL path contains unencoded or suspicious characters such as /, ?, or # within the sender's email address segment.

Commands to detect this might include capturing and inspecting HTTP requests from the application, for example using network tools like tcpdump or Wireshark to filter POST requests to Microsoft Graph endpoints, then searching for unencoded special characters in the URL path.

  • Use tcpdump to capture traffic on port 443 (HTTPS) and filter for POST requests to Microsoft Graph endpoints.
  • Use a proxy tool like mitmproxy or Fiddler to intercept and inspect the outgoing HTTP requests from the application.
  • Search logs or captured requests for URL paths containing unencoded special characters in the sender email portion, such as /, ?, or #.
Mitigation Strategies

Immediate mitigation steps include validating or rejecting sender email addresses that contain URL-special characters such as /, ?, or # before they are passed to the Swoosh Microsoft Graph adapter.

Alternatively, configure the adapter to use a static, fixed, and trusted sender address to avoid interpolation of untrusted input into the URL path.

Upgrading the Swoosh library to version 1.26.3 or later is recommended, as this version includes a fix that percent-encodes the sender email address before interpolation, neutralizing injection vectors.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart