CVE-2026-59695

ZenHive · mpp

ZenHive mpp contains an input validation vulnerability that enables unauthenticated remote clients to drain fee-payer wallets by specifying arbitrary gas prices.

Executive summary

A critical input validation flaw in ZenHive mpp allows unauthenticated remote attackers to drain fee-payer wallets, creating a severe risk of direct financial theft.

Vulnerability

This vulnerability involves the improper validation of specified quantities in input (CWE-1284), specifically regarding gas price settings. An unauthenticated remote attacker can submit a request with an arbitrarily high gas price to deplete the funds within the fee-payer wallet.

Business impact

The potential for a complete drain of the fee-payer wallet in a single request makes this a critical financial risk. Given the CVSS score of 8.3, this vulnerability could lead to total loss of funds associated with the affected wallet, necessitating urgent intervention.

Remediation

Immediate Action: Update ZenHive mpp to version 0.6.0 or higher to enforce proper validation of gas price inputs.

Proactive Monitoring: Monitor wallet balances and transaction activity for sudden, large, or unauthorized outflows that could indicate an exploitation attempt.

Compensating Controls: Apply strict rate limiting and transaction amount caps on the fee-payer wallet to prevent single-request fund depletion.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the potential for immediate and total financial loss, this vulnerability must be treated with the highest urgency. Organizations using ZenHive mpp must upgrade to the latest version and verify the security of their wallet configurations immediately.