Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.7
Lettermint SDK Leaks Email Info to Wrong Recipients
CVE-2026-27492
GHSA-49pc-8936-wvfp
Summary
If you reuse a Lettermint client instance to send multiple emails, some email details may accidentally be sent to the wrong people. To fix this, upgrade to Lettermint version 1.5.1 or later. If an upgrade isn't possible, create a new client instance for each email you send.
What to do
- Update bjarnbronsveld lettermint to version 1.5.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| bjarnbronsveld | lettermint | <= 1.5.1 | 1.5.1 |
| lettermint | lettermint | <= 1.5.1 | – |
Original title
Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
Original description
### Impact
Email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected.
### Patches
Yes, the issue has been patched. Users should upgrade to v1.5.1 or later.
### Workarounds
If upgrading immediately is not possible, instantiate a new client for each send:
```js
const client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });
await client.email.to('...').subject('...').html('...').send();
```
This ensures no state is carried over between sends.
Email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected.
### Patches
Yes, the issue has been patched. Users should upgrade to v1.5.1 or later.
### Workarounds
If upgrading immediately is not possible, instantiate a new client for each send:
```js
const client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });
await client.email.to('...').subject('...').html('...').send();
```
This ensures no state is carried over between sends.
nvd CVSS3.1
4.7
Vulnerability type
CWE-488
- https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3... Patch
- https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936... Vendor Advisory Mitigation
- https://nvd.nist.gov/vuln/detail/CVE-2026-27492
- https://github.com/advisories/GHSA-49pc-8936-wvfp
- https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02... Release Notes
Published: 20 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026