Improper Validation Vulnerability in ZenHive mpp Product
CVE-2026-59694

8.3HIGH

Key Information:

Vendor

Zenhive

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-59694?

The vulnerability in ZenHive mpp allows unauthenticated remote clients to exploit improper validation of input fields, particularly affecting the gas cost incurred by fee payers. When configured to pay fees, the mpp library fails to validate the EIP-2930 access list entries provided by clients. This can lead to substantial increases in gas costs for transactions as clients can submit a valid transfer alongside false entries that dramatically inflate the expenses. Sustained exploitation could severely impact operating margins for sponsors, leading to potential financial loss and drain on fee-payer wallets.

Affected Version(s)

mpp 0.2.0 < 0.6.0

mpp d29d54e507918db00a5b65d90136b73166c017d7 < 5d6338e2334084c5f2a78cfcca474830733ed7e8

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kian Kai Ang
E.FU
Jonatan Männchen / EEF
.