CVE-2026-59695
Received Received - Intake

Gas Price Validation Bypass in ZenHive mpp

Vulnerability report for CVE-2026-59695, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: EEF

Description

Improper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet in a single request by naming an arbitrarily high gas price. When the mpp Elixir library is configured as fee payer (fee_payer: true), MPP.Tempo.Transaction.cosign_fee_payer/3 re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including max_fee_per_gas and max_priority_fee_per_gas, without validating that they are within reasonable bounds. A malicious client embeds arbitrarily large values for these fields in the signed envelope. The server co-signs and broadcasts the transaction. The effective_gas_price billed against the fee-payer wallet is derived from the attacker-supplied ceilings, so the server pays those inflated per-gas rates out of its own wallet. A single crafted request can drain the wallet entirely, after which the server can no longer sponsor gas for legitimate payment requests. This issue affects mpp: from 0.2.0 before 0.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zenhive mpp From 0.2.0 (inc) to 0.6.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an unauthenticated remote attacker to drain the fee-payer wallet in a single request by exploiting improper validation of gas price fields in the ZenHive mpp library. When configured as fee payer, the server blindly signs and broadcasts transactions without validating max_fee_per_gas and max_priority_fee_per_gas values. The server then pays inflated gas fees from its own wallet, potentially draining it completely.

Detection Guidance

To detect this vulnerability, check if your mpp library version is between 0.2.0 and 0.6.0. Inspect the MPP.Tempo.Transaction.cosign_fee_payer/3 function in transaction.ex for improper validation of gas_limit, max_fee_per_gas, and max_priority_fee_per_gas fields.

Impact Analysis

This vulnerability can lead to direct financial loss as the server's wallet is drained by paying inflated gas fees. It may also cause a Denial of Service (DoS) if the wallet is completely depleted, preventing further legitimate transactions. Systems using mpp versions 0.2.0 to 0.5.9 with fee_payer: true are affected.

Compliance Impact

This vulnerability does not directly affect compliance with GDPR or HIPAA as it pertains to financial loss through gas fee manipulation rather than data protection or privacy. However, if the drained wallet is used to fund services handling protected health or personal data, operational disruptions could indirectly impact compliance.

Mitigation Strategies

Upgrade the mpp library to version 0.6.0 or later. If upgrading is not possible, disable the fee_payer configuration to prevent server-side gas sponsorship. Monitor wallet balances for unusual transactions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59695. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart