CVE-2026-27492
Email Property Leakage in Lettermint Node.js SDK
Publication date: 2026-02-21
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lettermint | lettermint | to 1.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-488 | The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27492 is a vulnerability in the Lettermint Node.js SDK versions 1.5.0 and below where email properties such as recipient addresses (to), subject, HTML content, text content, and attachments are not reset between multiple .send() calls when reusing a single client instance.
This improper state management causes data from a previous email send to leak into subsequent emails, potentially exposing sensitive content or recipient information to unintended parties.
The issue particularly affects applications that send emails sequentially to different recipients, such as transactional email flows for password resets or notifications.
The vulnerability has been fixed in version 1.5.1 by resetting email properties after each send operation.
How can this vulnerability impact me? :
This vulnerability can lead to unintended leakage of email content or recipient addresses from one email to another when using the same client instance for multiple sends.
As a result, sensitive information such as email subjects, body content, attachments, or recipient lists may be delivered to unintended parties.
This is especially critical in applications that send transactional emails like password resets or notifications to different users in sequence, potentially compromising confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when a single Lettermint Node.js SDK client instance is reused across multiple .send() calls without resetting email properties, causing data leakage between emails.
To detect this issue on your system, you can review your application code to check if the Lettermint client instance is reused for multiple email sends without re-instantiation or property reset.
There are no specific network commands or automated detection tools mentioned for this vulnerability.
A practical approach is to audit your email sending logic for reuse of the same client instance and verify if email properties (to, subject, html, text, attachments) persist across sends.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade the Lettermint Node.js SDK to version 1.5.1 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If immediate upgrading is not feasible, a recommended temporary workaround is to instantiate a new client instance for each email send operation to prevent email property leakage between sends.'}, {'type': 'list_item', 'content': 'Upgrade to lettermint-node version 1.5.1 or later.'}, {'type': 'list_item', 'content': "Create a new Lettermint client instance for each email send, for example:\n```javascript\nconst client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });\nawait client.email.to('...').subject('...').html('...').send();\n```"}] [1]