PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59252 ZenHive CVE debrief

CVE-2026-59252 is an Improper Validation of Specified Quantity in Input vulnerability in ZenHive mpp that allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. The vulnerability affects mpp versions from 0.2.0 before 0.6.0. The issue arises when the mpp Elixir library is configured as a fee payer and does not validate the client-supplied gas_limit for EVM transactions. This allows malicious clients to submit transactions with deliberately low gas limits, causing the transaction to revert while still charging the fee-payer wallet.

Vendor
ZenHive
Product
mpp
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Users of ZenHive mpp, especially those configured as fee payers, should be aware of this vulnerability and take immediate action to prevent exploitation. This includes updating mpp to version 0.6.0 or later, verifying and adjusting the fee_payer configuration, monitoring wallet balances and transaction activity, and implementing compensating controls to detect and prevent suspicious transactions. Security teams and operators should review the affected scope and severity with the vendor and assess their exposure.

Technical summary

The mpp Elixir library, when configured as a fee payer, does not validate the client-supplied gas_limit for EVM transactions. This allows malicious clients to submit transactions with deliberately low gas limits, causing the transaction to revert while still charging the fee-payer wallet. Repeated exploitation can drain the wallet, preventing legitimate payment requests from being sponsored. The wait_for_confirmation = false (optimistic) path is also affected as it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions.

Defensive priority

High priority due to potential for significant financial loss and denial of service.

Recommended defensive actions

  • Update mpp to version 0.6.0 or later
  • Verify and adjust the fee_payer configuration
  • Monitor wallet balances and transaction activity
  • Implement compensating controls to detect and prevent suspicious transactions
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T11:17:13.803Z and has not been modified since then. The NVD entry is currently Received. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the affected scope and severity with the vendor and review compensating controls.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T11:17:13.803Z and has not been modified since then.