PT-2026-60736 · Mpp · Mpp

·

CVE-2026-59695

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v4.0

8.3

High

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions mpp versions 0.2.0 through 0.5.9
Description Improper validation of input quantities allows an unauthenticated remote client to drain the fee-payer wallet in a single request by specifying an arbitrarily high gas price. When the library is configured as a fee payer, the cosign fee payer/3 function re-signs client-supplied base fields of the 0x76 AASigned envelope without validating that max fee per gas and max priority fee per gas are within reasonable bounds. A malicious client can embed excessively large values for these variables, causing the server to pay inflated per-gas rates from its own wallet. This can result in the complete depletion of the wallet, preventing the server from sponsoring gas for legitimate requests. This issue is only reachable when the MPP.Methods.Tempo method is configured with fee payer: true.
Recommendations Update mpp to version 0.6.0 or later. As a temporary mitigation, set the fee payer configuration to false to disable server-side gas sponsorship.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59695
GHSA-VV77-66RF-PM86

Affected Products

Mpp