Improper Input Validation in ZenHive mpp Affects Fee-Payer Functionality
CVE-2026-59252
What is CVE-2026-59252?
The ZenHive mpp product suffers from a vulnerability that allows an unauthenticated remote client to exploit improper validation of specified input quantities. In particular, when configured as a fee payer, the MPP.Methods.Tempo payment method can be manipulated by malicious actors who submit transactions with under-calculated gas limits. This leads to a scenario where the fee-payer wallet is drained while the attacker pays nothing, causing disruption in service for legitimate users. Additionally, the optimistic payment confirmation approach fails to account for gas parameters, allowing repeated exploits that exacerbate the situation. This makes it critical for users to update their systems to mitigate the risk associated with these vulnerabilities.
Affected Version(s)
mpp 0.2.0 < 0.6.0
mpp d29d54e507918db00a5b65d90136b73166c017d7
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved
