Improper Input Validation in ZenHive mpp Affects Fee-Payer Functionality
CVE-2026-59252

8.2HIGH

Key Information:

Vendor

Zenhive

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-59252?

The ZenHive mpp product suffers from a vulnerability that allows an unauthenticated remote client to exploit improper validation of specified input quantities. In particular, when configured as a fee payer, the MPP.Methods.Tempo payment method can be manipulated by malicious actors who submit transactions with under-calculated gas limits. This leads to a scenario where the fee-payer wallet is drained while the attacker pays nothing, causing disruption in service for legitimate users. Additionally, the optimistic payment confirmation approach fails to account for gas parameters, allowing repeated exploits that exacerbate the situation. This makes it critical for users to update their systems to mitigate the risk associated with these vulnerabilities.

Affected Version(s)

mpp 0.2.0 < 0.6.0

mpp d29d54e507918db00a5b65d90136b73166c017d7

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kian Kai Ang
E.FU
Jonatan Männchen / EEF
.