PatchSiren cyber security CVE debrief
CVE-2026-59694 ZenHive CVE debrief
CVE-2026-59694 is a vulnerability in ZenHive's mpp library, which allows an unauthenticated remote client to inflate the fee-payer's gas cost per payment by a large multiplier, degrading the sponsor's operating margin. The vulnerability occurs when the mpp Elixir library is configured as a fee payer and re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. This issue affects mpp: from 0.2.0 before 0.6.0.
- Vendor
- ZenHive
- Product
- mpp
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of ZenHive's mpp library, particularly those who have configured the library as a fee payer, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of the library and monitoring for suspicious activity. Operators, platform administrators, vulnerability management teams, and security teams may be impacted.
Technical summary
The vulnerability occurs in the MPP.Tempo.Transaction.cosign_fee_payer/3 function, which re-signs the client-supplied base fields of the 0x76 AASigned envelope verbatim, including the EIP-2930 access list, without validating its length or contents. This allows a malicious client to submit a valid transferWithMemo call alongside a large number of fabricated access-list entries, causing the fee-payer wallet to pay a large multiple of the expected gas cost with no corresponding on-chain work. At the maintainer's default of 137 access-list entries and 100 Gwei max_fee_per_gas, per-payment gas cost rises from ~51,287 to ~380,087 gas, a 7.4x multiplier.
Defensive priority
High
Recommended defensive actions
- Upgrade to a patched version of the ZenHive mpp library
- Monitor for suspicious activity
- Implement additional security measures to prevent similar attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-17T11:17:13.960Z and has not been modified since then. The NVD entry is currently Received. The vulnerability affects mpp library versions from 0.2.0 before 0.6.0. There is no evidence of exploit or ransomware campaign use. Users should verify their deployments and plan for updates.
Official resources
-
CVE-2026-59694 CVE record
CVE.org
-
CVE-2026-59694 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T11:17:13.960Z and has not been modified since then.