PatchSiren cyber security CVE debrief
CVE-2026-59695 ZenHive CVE debrief
CVE-2026-59695 is a vulnerability in ZenHive's mpp library that allows an unauthenticated remote client to drain the fee-payer wallet by naming an arbitrarily high gas price. The vulnerability is caused by the improper validation of specified quantity in input in the mpp library. When the library is configured as a fee payer, it re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim, including max_fee_per_gas and max_priority_fee_per_gas, without validating that they are within reasonable bounds. This allows a malicious client to embed arbitrarily large values for these fields, causing the server to pay inflated per-gas rates out of its own wallet. Users of ZenHive's mpp library, especially those configured as fee payers, should be aware of this vulnerability and take immediate action to protect their wallets.
- Vendor
- ZenHive
- Product
- mpp
- CVSS
- HIGH 8.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of ZenHive's mpp library, especially those configured as fee payers, should be aware of this vulnerability and take immediate action to protect their wallets. This includes updating to version 0.6.0 or later, configuring the mpp library to not be a fee payer, and monitoring wallet activity for suspicious transactions. Additionally, operators of affected systems should review the official advisory and CVE record to validate affected scope and severity, and plan vendor-supported updates or mitigations through normal change control.
Technical summary
The vulnerability is caused by the improper validation of specified quantity in input in the mpp library. When the library is configured as a fee payer, it re-signs client-supplied base fields of the 0x76 AASigned envelope verbatim, including max_fee_per_gas and max_priority_fee_per_gas, without validating that they are within reasonable bounds. This allows a malicious client to embed arbitrarily large values for these fields, causing the server to pay inflated per-gas rates out of its own wallet. The effective_gas_price billed against the fee-payer wallet is derived from the attacker-supplied ceilings, so the server pays those inflated per-gas rates out of its own wallet.
Defensive priority
High
Recommended defensive actions
- Update to version 0.6.0 or later
- Configure mpp library to not be a fee payer
- Monitor wallet activity for suspicious transactions
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-17T11:17:14.117Z and has not been modified since then. The NVD entry is currently Received. There is no additional information available about the vulnerability beyond what is provided in the CVE record and NVD entry. Users should verify the affected scope and severity with the vendor and review the official advisory for guidance on mitigation and remediation.
Official resources
-
CVE-2026-59695 CVE record
CVE.org
-
CVE-2026-59695 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
-
Source reference
6b3ad84c-e1a6-4bf7-a703-f496b71e49db
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T11:17:14.117Z and has not been modified since then.