Missing gas_limit validation in mpp Tempo fee-payer enables wallet drain

Summary

CVECVE-2026-59252
StatePUBLISHED
AssignerEEF
Source PriorityCVE Program / NVD first with legacy fallback
Published2026-07-17 11:17:13 UTC
Updated2026-07-17 18:09:55 UTC
DescriptionImproper Validation of Specified Quantity in Input in ZenHive mpp allows an unauthenticated remote client to drain the fee-payer wallet, resulting in denial of service for legitimate clients. When the mpp Elixir library is configured as fee payer (fee_payer: true), the MPP.Methods.Tempo payment method co-signs and broadcasts a client-supplied EVM transaction without first validating that the client-supplied gas_limit is sufficient to complete the intended call. A malicious client can submit a signed transferWithMemo transaction with gas_limit deliberately set just below the amount required for successful execution. The server co-signs the transaction and broadcasts it via rpc_broadcast_sync. The transaction runs out of gas during EVM execution and reverts, but the fee-payer wallet is still charged for the burned gas while the client pays nothing and receives no resource. Repeated requests from one or more malicious clients drain the fee-payer wallet at near-zero cost to the attacker, ultimately preventing the server from sponsoring gas for legitimate payment requests. The wait_for_confirmation = false (optimistic) path is also affected: it invokes simulate_payment_call via eth_call, but that simulation omits the gas parameter and therefore does not catch out-of-gas conditions. This issue affects mpp: from 0.2.0 before 0.6.0.

Risk And Classification

Primary CVSS: v4.0 8.2 HIGH from 6b3ad84c-e1a6-4bf7-a703-f496b71e49db

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Problem Types: CWE-1284 | CWE-1284 CWE-1284 Improper Validation of Specified Quantity in Input


VersionSourceTypeScoreSeverityVector
4.06b3ad84c-e1a6-4bf7-a703-f496b71e49dbSecondary8.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/C...
4.0CNACVSS8.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CVSS v4.0 Breakdown

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
None
Availability
High
Sub Conf.
None
Sub Integrity
None
Sub Availability
None

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Vendor Declared Affected Products

SourceVendorProductVersionPlatforms
CNA ZenHive Mpp affected 0.2.0 0.6.0 semver Not specified
CNA ZenHive Mpp affected d29d54e507918db00a5b65d90136b73166c017d7 d84e3e528db39654540c2035ea0fbdf7b950d3d1 git Not specified

References

ReferenceSourceLinkTags
github.com/ZenHive/mpp/security/advisories/GHSA-vj8p-hp9x-gh47 134c704f-9b21-4f2e-91b3-4a467353bcc0 github.com
cna.erlef.org/cves/CVE-2026-59252.html 6b3ad84c-e1a6-4bf7-a703-f496b71e49db cna.erlef.org
osv.dev/vulnerability/EEF-CVE-2026-59252 6b3ad84c-e1a6-4bf7-a703-f496b71e49db osv.dev
github.com/ZenHive/mpp/commit/d84e3e528db39654540c2035ea0fbdf7b950d3d1 6b3ad84c-e1a6-4bf7-a703-f496b71e49db github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Kian Kai Ang (en)

CNA: E.FU (en)

CNA: Jonatan Männchen / EEF (en)

© CVE.report 2026

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report