GHSA-49PC-8936-WVFP

Vulnerability from github – Published: 2026-02-20 21:14 – Updated: 2026-02-23 22:30
VLAI?
Summary
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
Details

Impact

Email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected.

Patches

Yes, the issue has been patched. Users should upgrade to v1.5.1 or later.

Workarounds

If upgrading immediately is not possible, instantiate a new client for each send:

const client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });
await client.email.to('...').subject('...').html('...').send();

This ensures no state is carried over between sends.

Severity ?
4.7 (Medium)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "lettermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27492"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-488"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-20T21:14:49Z",
    "nvd_published_at": "2026-02-21T11:15:57Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nEmail properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence \u2014 such as transactional flows like password resets or notifications \u2014 are affected.\n\n### Patches\nYes, the issue has been patched. Users should upgrade to v1.5.1 or later.\n\n### Workarounds\nIf upgrading immediately is not possible, instantiate a new client for each send:\n```js\nconst client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });\nawait client.email.to(\u0027...\u0027).subject(\u0027...\u0027).html(\u0027...\u0027).send();\n```\n\nThis ensures no state is carried over between sends.",
  "id": "GHSA-49pc-8936-wvfp",
  "modified": "2026-02-23T22:30:18Z",
  "published": "2026-02-20T21:14:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27492"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lettermint/lettermint-node"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.