URL Path Injection in Swoosh Microsoft Graph Adapter
CVE-2026-54893
2.1LOW
What is CVE-2026-54893?
The Swoosh library contains a vulnerability within its Microsoft Graph adapter that allows attackers to inject malicious characters into the API request URL. This issue arises from improper handling of the sender's email address when constructing the URL path. By exploiting untrusted user inputs, attackers can manipulate the request to redirect it to unintended Microsoft Graph endpoints, thereby gaining the ability to control the request's query string and potentially compromising sensitive data. Applications using a secure, fixed 'from' address are not impacted. This vulnerability affects Swoosh versions between 1.12.0 and 1.26.2.
Affected Version(s)
swoosh 1.12.0 < 1.26.3
swoosh 23bfcdab71aee4613858ba6d116bb3311b72aa58
