Executive Summary

CVE-2026-27492 is a vulnerability in the Lettermint Node.js SDK versions 1.5.0 and below where email properties such as recipient addresses (to), subject, HTML content, text content, and attachments are not reset between multiple .send() calls when reusing a single client instance.

This improper state management causes data from a previous email send to leak into subsequent emails, potentially exposing sensitive content or recipient information to unintended parties.

The issue particularly affects applications that send emails sequentially to different recipients, such as transactional email flows for password resets or notifications.

The vulnerability has been fixed in version 1.5.1 by resetting email properties after each send operation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unintended leakage of email content or recipient addresses from one email to another when using the same client instance for multiple sends.

As a result, sensitive information such as email subjects, body content, attachments, or recipient lists may be delivered to unintended parties.

This is especially critical in applications that send transactional emails like password resets or notifications to different users in sequence, potentially compromising confidentiality.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when a single Lettermint Node.js SDK client instance is reused across multiple .send() calls without resetting email properties, causing data leakage between emails.

To detect this issue on your system, you can review your application code to check if the Lettermint client instance is reused for multiple email sends without re-instantiation or property reset.

There are no specific network commands or automated detection tools mentioned for this vulnerability.

A practical approach is to audit your email sending logic for reuse of the same client instance and verify if email properties (to, subject, html, text, attachments) persist across sends.

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the Lettermint Node.js SDK to version 1.5.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If immediate upgrading is not feasible, a recommended temporary workaround is to instantiate a new client instance for each email send operation to prevent email property leakage between sends.'}, {'type': 'list_item', 'content': 'Upgrade to lettermint-node version 1.5.1 or later.'}, {'type': 'list_item', 'content': "Create a new Lettermint client instance for each email send, for example:\n```javascript\nconst client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });\nawait client.email.to('...').subject('...').html('...').send();\n```"}] [1]

Useful 0 Not Useful 0