CVE-2026-27492 in lettermint-node
Summary
by MITRE • 02/21/2026
Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/21/2026
The vulnerability described in CVE-2026-27492 represents a critical security flaw within the Lettermint Node.js SDK affecting versions 1.5.0 and earlier. This issue manifests as a lack of proper state management within the SDK's client instance, specifically failing to reset email properties between sequential send operations. The root cause stems from improper memory management and state persistence mechanisms within the SDK's internal implementation, where email parameters including recipient addresses, subject lines, HTML content, plain text bodies, and attachment metadata are not properly cleared after each send operation. This behavior creates a persistent state that carries over between multiple calls to the send method, leading to potential information disclosure and unauthorized data exposure.
The technical implications of this vulnerability align with CWE-691, which addresses insufficient cleanup of sensitive data, and CWE-200, concerning exposure of sensitive information. The flaw operates at the application layer and demonstrates a classic case of state leakage in reusable objects, where the client instance maintains references to previously set email parameters. When developers reuse a single SDK client instance across multiple send operations, the SDK fails to properly isolate each email transaction, causing properties from one email to persist into the next. This creates a scenario where sensitive information such as recipient email addresses, content, or even attachments from one transaction can inadvertently be included in subsequent emails, potentially exposing confidential data to unintended recipients.
The operational impact of this vulnerability is particularly severe for applications implementing transactional email services such as password reset systems, notification frameworks, and user communication platforms. In production environments where email clients are reused for multiple operations, this flaw could result in serious privacy violations and data breaches. For example, when processing a series of password reset requests, the email address of the first user might be inadvertently included in the subsequent user's password reset email, creating a direct pathway for unauthorized information disclosure. The vulnerability is especially dangerous in high-volume applications where multiple email operations occur sequentially, as the risk of cross-contamination increases exponentially with the number of operations performed using the same client instance. This issue affects both the confidentiality and integrity of email communications, potentially violating data protection regulations and security compliance requirements.
Mitigation strategies for this vulnerability should begin with immediate upgrade to version 1.5.1 or later, which contains the necessary fixes to properly reset email properties between send operations. Organizations should conduct thorough code reviews to identify all instances where the Lettermint SDK is being used with reusable client objects, particularly in transactional email flows. Security teams should implement monitoring and logging to detect potential leakage scenarios, especially in environments where email content is sensitive or regulated. Additionally, developers should be educated about the proper usage patterns of the SDK, including the recommendation to create fresh client instances for each send operation when working with sensitive data, or to ensure that proper state isolation is maintained between operations. The fix implemented in version 1.5.1 addresses this through proper state management mechanisms that ensure email parameters are cleared and reset appropriately after each send call, preventing any carryover of sensitive information between transactions. This vulnerability serves as a reminder of the importance of proper resource management and state isolation in SDK implementations, particularly when dealing with sensitive data processing operations.