CVE-2026-27492: CWE-488: Exposure of Data Element to Wrong Session in lettermint lettermint-node
CVE-2026-27492 is a medium severity vulnerability in the Lettermint Node. js SDK versions 1. 5. 0 and below. The issue arises because email properties such as recipient addresses and message content are not cleared between consecutive . send() calls on the same client instance. This leads to unintended data leakage where information from a previous email can be included in subsequent emails, potentially exposing sensitive content or recipient details to wrong parties. The vulnerability affects applications that send multiple emails sequentially using a single client instance, such as transactional email flows. No user interaction is required to exploit this, but local access with low privileges is needed. The flaw impacts confidentiality but does not affect integrity or availability.
AI Analysis
Technical Summary
CVE-2026-27492 is a vulnerability categorized under CWE-488 (Exposure of Data Element to Wrong Session) found in the Lettermint Node.js SDK, specifically in versions 1.5.0 and earlier. The root cause is that the SDK does not reset or clear email properties—including 'to', 'subject', 'html', 'text', and 'attachments'—between multiple .send() calls when the same client instance is reused. As a result, data from a prior email send operation can persist and be unintentionally included in subsequent emails. This can cause sensitive information or recipient addresses to leak to unintended recipients, violating confidentiality. The vulnerability primarily affects applications that send multiple emails in sequence, such as password reset flows or notification systems, where different recipients receive different content. Exploitation requires the attacker to have low-level privileges to reuse the same client instance but does not require user interaction. The CVSS v3.1 score is 4.7 (medium severity), reflecting the local attack vector, high confidentiality impact, and low privileges required. No known exploits have been reported in the wild. The issue was addressed in Lettermint Node.js SDK version 1.5.1 by ensuring email properties are properly reset between sends, preventing data leakage.
Potential Impact
The primary impact of this vulnerability is the unintended disclosure of sensitive email content and recipient information to unauthorized parties. This can lead to privacy violations, exposure of confidential data, and potential compliance breaches, especially for organizations handling sensitive communications such as password resets, financial notifications, or personal data. The leakage of recipient addresses can also facilitate further phishing or social engineering attacks. While the vulnerability does not affect the integrity or availability of the system, the confidentiality breach can damage organizational reputation and trust. Since the flaw requires reuse of the same client instance, applications that instantiate a new client per email are less affected. However, many implementations optimize by reusing client instances, increasing the risk. The medium CVSS score reflects the limited attack vector (local or internal code reuse) but significant confidentiality impact. Organizations with high volumes of transactional emails or sensitive communications are particularly at risk.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade the Lettermint Node.js SDK to version 1.5.1 or later, where the issue is fixed. As a best practice, developers should avoid reusing the same client instance for multiple email sends or ensure that all email properties are explicitly reset before each send operation. Implement rigorous code reviews and testing to verify that no residual data persists between email sends. Additionally, consider implementing application-level logging and monitoring to detect any anomalous email content or recipient patterns that could indicate leakage. For environments where immediate upgrade is not feasible, isolate email sending processes or use separate client instances per email to minimize risk. Finally, review and audit email sending workflows to ensure sensitive data is handled securely and that no unintended data exposure occurs.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, Japan, South Korea, India
CVE-2026-27492: CWE-488: Exposure of Data Element to Wrong Session in lettermint lettermint-node
Description
CVE-2026-27492 is a medium severity vulnerability in the Lettermint Node. js SDK versions 1. 5. 0 and below. The issue arises because email properties such as recipient addresses and message content are not cleared between consecutive . send() calls on the same client instance. This leads to unintended data leakage where information from a previous email can be included in subsequent emails, potentially exposing sensitive content or recipient details to wrong parties. The vulnerability affects applications that send multiple emails sequentially using a single client instance, such as transactional email flows. No user interaction is required to exploit this, but local access with low privileges is needed. The flaw impacts confidentiality but does not affect integrity or availability.
AI-Powered Analysis
Technical Analysis
CVE-2026-27492 is a vulnerability categorized under CWE-488 (Exposure of Data Element to Wrong Session) found in the Lettermint Node.js SDK, specifically in versions 1.5.0 and earlier. The root cause is that the SDK does not reset or clear email properties—including 'to', 'subject', 'html', 'text', and 'attachments'—between multiple .send() calls when the same client instance is reused. As a result, data from a prior email send operation can persist and be unintentionally included in subsequent emails. This can cause sensitive information or recipient addresses to leak to unintended recipients, violating confidentiality. The vulnerability primarily affects applications that send multiple emails in sequence, such as password reset flows or notification systems, where different recipients receive different content. Exploitation requires the attacker to have low-level privileges to reuse the same client instance but does not require user interaction. The CVSS v3.1 score is 4.7 (medium severity), reflecting the local attack vector, high confidentiality impact, and low privileges required. No known exploits have been reported in the wild. The issue was addressed in Lettermint Node.js SDK version 1.5.1 by ensuring email properties are properly reset between sends, preventing data leakage.
Potential Impact
The primary impact of this vulnerability is the unintended disclosure of sensitive email content and recipient information to unauthorized parties. This can lead to privacy violations, exposure of confidential data, and potential compliance breaches, especially for organizations handling sensitive communications such as password resets, financial notifications, or personal data. The leakage of recipient addresses can also facilitate further phishing or social engineering attacks. While the vulnerability does not affect the integrity or availability of the system, the confidentiality breach can damage organizational reputation and trust. Since the flaw requires reuse of the same client instance, applications that instantiate a new client per email are less affected. However, many implementations optimize by reusing client instances, increasing the risk. The medium CVSS score reflects the limited attack vector (local or internal code reuse) but significant confidentiality impact. Organizations with high volumes of transactional emails or sensitive communications are particularly at risk.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately upgrade the Lettermint Node.js SDK to version 1.5.1 or later, where the issue is fixed. As a best practice, developers should avoid reusing the same client instance for multiple email sends or ensure that all email properties are explicitly reset before each send operation. Implement rigorous code reviews and testing to verify that no residual data persists between email sends. Additionally, consider implementing application-level logging and monitoring to detect any anomalous email content or recipient patterns that could indicate leakage. For environments where immediate upgrade is not feasible, isolate email sending processes or use separate client instances per email to minimize risk. Finally, review and audit email sending workflows to ensure sensitive data is handled securely and that no unintended data exposure occurs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-19T19:46:03.541Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699989acbe58cf853b7b3299
Added to database: 2/21/2026, 10:32:12 AM
Last enriched: 2/21/2026, 10:46:39 AM
Last updated: 2/21/2026, 11:48:20 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1787: CWE-862 Missing Authorization in thimpress LearnPress – Backup & Migration Tool
MediumCVE-2026-27579: CWE-346: Origin Validation Error in karnop realtime-collaboration-platform
HighCVE-2026-27482: CWE-396: Declaration of Catch for Generic Exception in ray-project ray
MediumCVE-2025-14339: CWE-862 Missing Authorization in wedevs weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins
MediumCVE-2026-27479: CWE-918: Server-Side Request Forgery (SSRF) in ellite Wallos
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.