Skip to main content

Swoosh MsGraph EUVDEUVD-2026-41876

| CVE-2026-54893 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-07-06 EEF
2.1
CVSS 4.0 · Vendor: EEF

Severity by source

Vendor (EEF) PRIMARY
2.1 LOW
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

Attack is network-delivered via application input (AV:N); AC:H reflects non-default prerequisite of user-controlled `from`; scope changes to Microsoft Graph API (S:C).

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (EEF).

CVSS VectorVendor: EEF

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 14:55 vuln.today

DescriptionCVE.org

URL path injection in the Microsoft Graph adapter of Swoosh. Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the URL path (/users/{from}/sendMail) without percent-encoding or validation.

In applications that derive the from address from untrusted or user-influenced input (for example a relay, a contact form, or a "send as" feature), an attacker can place URL-special characters such as /, ?, or

in the local part of the address to escape the intended path segment and rewrite the path and query string of the request. Because the same authenticated POST is sent with the application's Microsoft Graph bearer token, the attacker can redirect it to other Graph endpoints within the token's scopes and control the request's query string. Applications that always use a fixed, trusted from address are not affected.

This issue affects swoosh from 1.12.0 before 1.26.3.

AnalysisAI

{from}/sendMail path segment, rewriting both path and query string of the outbound request. No public exploit has been identified at time of analysis; a vendor-released patch is available in version 1.26.3.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted email address via user-accessible input
Delivery
Swoosh interpolates unencoded address into /users/{from}/sendMail URL path
Exploit
URL-special characters escape intended path segment
Execution
Malformed authenticated POST dispatched with application's Microsoft Graph bearer token
Impact
Unauthorized Graph API endpoint accessed within token's granted scopes

Vulnerability AssessmentAI

Exploitation Exploitation requires both of the following conditions simultaneously: (1) the application uses Swoosh's Microsoft Graph adapter (Swoosh.Adapters.MsGraph) specifically - no other adapter is vulnerable; and (2) the `from` address value passed to the adapter is derived from untrusted or user-influenced input, such as a contact form sender field, an email relay that accepts arbitrary from addresses, or a 'send as' feature that allows users to specify the sender. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 4.0 score is 2.1 (Very Low), reflecting AT:P (specific attack prerequisite required) and VI:L/SC:L/SI:L (limited integrity impacts across vulnerable and subsequent systems). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a contact form on a web application using Swoosh's MsGraph adapter, entering a crafted sender address such as victim@domain.com/../../me/messages?%24select=subject as the from value. Swoosh interpolates this directly into the Graph API URL without encoding, rewriting the request from the intended /users/victim@domain.com/sendMail path to a different Graph endpoint, and the authenticated POST is dispatched with the application's bearer token to the attacker-chosen resource. …
Remediation Upgrade Swoosh to version 1.26.3 or later; the fix is delivered via commit e38235453e81d1727bfc8d91e69ec4cb211ccf61 (https://github.com/swoosh/swoosh/commit/e38235453e81d1727bfc8d91e69ec4cb211ccf61) and the vendor security advisory is at https://github.com/swoosh/swoosh/security/advisories/GHSA-754j-98wh-57rf. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy