Improper Input Validation in ZenHive mpp Payment Processing
CVE-2026-59695

8.3HIGH

Key Information:

Vendor

Zenhive

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-59695?

The ZenHive mpp product is vulnerable due to improper validation of input quantities, specifically in its transaction fee handling mechanism. When configured to act as a fee payer, the mpp Elixir library fails to enforce reasonable limits on the client-supplied 'max_fee_per_gas' and 'max_priority_fee_per_gas' parameters. This oversight allows malicious users to submit a request containing inflated gas fee values. When the server co-signs such transactions, it incurs excessive costs charged to the fee payer's wallet, leading potentially to total depletion. This situation not only affects the wallet's ability to process legitimate transactions but also poses a significant risk to the integrity of the payment system. Users of mpp versions 0.2.0 and later up to 0.6.0 should apply the latest security patch.

Affected Version(s)

mpp 0.2.0 < 0.6.0

mpp d29d54e507918db00a5b65d90136b73166c017d7 < 5d6338e2334084c5f2a78cfcca474830733ed7e8

References

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kian Kai Ang
E.FU
Jonatan Männchen / EEF
.