CVE-2026-27492 is a vulnerability classified under CWE-488 (Exposure of Data Element to Wrong Session) affecting the Lettermint Node.js SDK (lettermint-node) versions 1.5.0 and earlier. The issue arises because the SDK does not reset email-related properties such as 'to', 'subject', 'html', 'text', and 'attachments' between consecutive .send() calls when the same client instance is reused. This improper state management leads to residual data from a previous email send operation persisting into subsequent sends. Consequently, sensitive email content or recipient information can be inadvertently disclosed to unintended recipients. This is particularly critical in applications that send multiple emails in sequence, such as transactional email flows involving password resets, notifications, or other user-specific communications. The vulnerability requires an attacker to have local or internal network access with low privileges and does not require user interaction, but the attack complexity is high due to the need to reuse the same client instance improperly. The CVSS v3.1 base score is 4.7, reflecting medium severity, with a vector indicating local attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, no integrity or availability impact. No known exploits are currently reported in the wild. The issue was addressed in version 1.5.1 of the SDK by ensuring proper resetting of email properties between sends, preventing data leakage across sessions.

The primary impact of this vulnerability is the unintended disclosure of sensitive email content and recipient information, which compromises confidentiality. Organizations using affected versions of the Lettermint Node.js SDK in applications that send multiple emails sequentially risk leaking private data such as user email addresses, personal information, or confidential attachments to wrong recipients. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, HIPAA), reputational damage, and potential legal consequences. Although the vulnerability does not affect data integrity or system availability, the exposure of sensitive information can facilitate social engineering attacks, phishing, or identity theft. The attack requires local or internal network access and some knowledge of the application’s email sending logic, which limits the scope but does not eliminate risk, especially in multi-tenant or shared environments. Organizations relying on transactional email flows or bulk email sending with reused client instances are particularly vulnerable.

To mitigate this vulnerability, organizations should immediately upgrade the Lettermint Node.js SDK to version 1.5.1 or later, where the issue is fixed. Developers should audit their email sending code to ensure that each email send operation uses a fresh client instance or explicitly resets all email properties before reuse. Implementing strict input validation and output sanitization for email content can reduce the risk of unintended data leakage. Additionally, segregate email sending contexts per user or transaction to avoid cross-contamination of data. Monitoring and logging email send operations can help detect anomalous behavior indicative of data leaks. Where possible, restrict access to the email sending functionality to trusted internal systems and users to limit the attack surface. Conduct regular code reviews and security testing focusing on session and state management in email-related components. Finally, educate developers about secure SDK usage patterns to prevent similar issues.