Intel

AIKIDO-2026-647631

swoosh is vulnerable to Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF)CVE-2026-54893 Published 2 days ago

21

Low Risk

This Affects:

ELIXIRswoosh
1.12.0 - 1.26.2
Fixed in 1.26.3
Are you affected? Scan for Free

TL;DR

Swoosh.Adapters.MsGraph builds its Microsoft Graph API request URL by interpolating the sender's email address into the path /users/{from}/sendMail without percent-encoding or validation. In lib/swoosh/adapters/ms_graph.ex, api_endpoint_url/2 places the from value verbatim into the URL, and deliver/2 issues an authenticated POST to that constructed endpoint using the application's Graph bearer token. In applications that derive the from address from untrusted or user-influenced input (such as a relay, contact form, or send-as feature), an attacker can inject URL-special characters (/, ?, #) into the local part of the address to escape the intended path segment and rewrite the request's path and query string. Because the redirected request is still sent with the application's Microsoft Graph credentials, the attacker can steer it to other Graph endpoints within the token's scopes. Applications that always send with a fixed, trusted from address are not affected.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses Swoosh.Adapters.MsGraph with a from address derived from untrusted or user-influenced input (for example a relay, contact form, or send-as feature). Applications that always send with a fixed, trusted from address are not affected.

Background info

swoosh is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.12.0 - 1.26.2.

How to fix this

Upgrade the swoosh library to the patch version. As a workaround, validate or reject sender addresses that contain URL-special characters such as /, ?, #, and .. before passing them to the adapter, or configure a static :url in the MsGraph adapter settings to bypass from interpolation.