CVE-2026-27492 Overview
CVE-2026-27492 is an Information Leakage vulnerability affecting the Lettermint Node.js SDK, the official SDK for the Lettermint email service. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties.
Critical Impact
Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — may inadvertently expose sensitive content or recipient addresses to unintended parties due to state persistence across send operations.
Affected Products
- Lettermint Node.js SDK versions ≤ 1.5.0
- Applications using a single Lettermint client instance for multiple sequential email sends
- Transactional email workflows (password resets, notifications, account verifications)
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-27492 published to NVD
- 2026-02-24 - Last updated in NVD database
Technical Details for CVE-2026-27492
Vulnerability Analysis
This vulnerability falls under CWE-488 (Exposure of Data Element to Wrong Session), a class of information disclosure flaws where data intended for one session or context improperly persists and becomes accessible in another. In the Lettermint Node.js SDK, the email client object maintains internal state containing email properties such as recipient addresses, subject lines, HTML/text body content, and attachments. When developers reuse a single client instance across multiple .send() calls — a common pattern for performance optimization — the SDK fails to clear this state after each transmission.
The practical impact is significant for applications handling sensitive transactional emails. For example, if a password reset email is sent to User A, and then a subsequent email is sent to User B without explicitly clearing all properties, User B may receive content, attachments, or even see remnants of User A's email information. This creates both privacy violations and potential security exposures.
Root Cause
The root cause is the absence of state reset logic in the email sending workflow. The send() method in the SDK transmitted emails using a persistent payload object but never cleared or reinitialized this object after a successful send. Properties set for one email operation would remain in memory and potentially propagate to subsequent operations when the same client instance was reused.
Attack Vector
This vulnerability requires local access and specific conditions to exploit. An attacker would need access to an application that:
- Uses the vulnerable Lettermint SDK (versions ≤ 1.5.0)
- Reuses a single client instance for multiple email sends
- Does not explicitly reset all email properties between sends
While this is not a remotely exploitable vulnerability in the traditional sense, it creates conditions for unintentional data exposure between email recipients processed by the same application instance.
? { headers: { 'Idempotency-Key': this.idempotencyKeyValue } }
: undefined;
- return this.httpClient.post<SendEmailResponse>('/send', this.payload, config);
+ const response = await this.httpClient.post<SendEmailResponse>('/send', this.payload, config);
+
+ this.reset();
+
+ return response;
+ }
+
+ /**
+ * Reset the payload and idempotency key to their initial state
+ */
+ private reset(): void {
+ this.payload = {
+ from: '',
+ to: [],
+ subject: '',
+ };
+ this.idempotencyKeyValue = undefined;
}
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-27492
Indicators of Compromise
- Recipients reporting receiving emails with content intended for other users
- Email logs showing unexpected attachments or recipient data in outbound messages
- Customer complaints about receiving password reset links or notifications for other accounts
- Audit logs indicating the same client instance processed multiple distinct email operations
Detection Strategies
- Implement dependency scanning to identify Lettermint SDK versions 1.5.0 and below in your codebase
- Review application logs for email operations where recipient addresses or content appear inconsistent
- Conduct code reviews to identify patterns where single Lettermint client instances handle multiple sequential sends
- Deploy software composition analysis (SCA) tools to flag vulnerable SDK versions
Monitoring Recommendations
- Enable detailed logging for all outbound email operations including recipient addresses and content hashes
- Monitor for customer-reported privacy incidents involving misdirected emails
- Track Lettermint SDK versions across all application deployments
- Set up alerts for email delivery failures that may indicate malformed or merged email data
How to Mitigate CVE-2026-27492
Immediate Actions Required
- Upgrade the Lettermint Node.js SDK to version 1.5.1 or later immediately
- Audit application code for instances where Lettermint client objects are reused across multiple sends
- If immediate upgrade is not possible, create new client instances for each email send operation
- Review recent email logs to identify any potential data exposure incidents
Patch Information
The vulnerability has been addressed in Lettermint Node.js SDK version 1.5.1, released on 2026-02-20. The fix introduces a reset() method that automatically clears the email payload and idempotency key after each successful send operation. The patch commit 24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1 implements this fix. For detailed information, see the GitHub Security Advisory GHSA-49pc-8936-wvfp and the Changelog Entry.
Workarounds
- Create a new Lettermint client instance for each email send operation rather than reusing instances
- Explicitly clear all email properties (to, subject, html, text, attachments) after each send if using a shared instance
- Implement a wrapper function that instantiates a fresh client for each email operation
- Add input validation to ensure no residual data persists between email operations
# Update Lettermint Node.js SDK to patched version
npm update lettermint@1.5.1
# Or install the specific patched version
npm install lettermint@1.5.1
# Verify installed version
npm list lettermint
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
