CVE-2026-52830: fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection
fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP client can therefore authenticate as the default legacy session with a token such as ../fast-mcp-telegram/telegram when the documented default session file ~/.config/fast-mcp-telegram/telegram.session exists. This bypasses the reserved session name control that is intended to prevent HTTP multi-user sessions from colliding with the default stdio or legacy account. With account-prefixed MCP tools enabled, the attacker still sees and calls the prefixed tools for the default account, so the prefix middleware does not stop the session selection bypass. This vulnerability is fixed in 0.19.1.
Metrics
- CVSS v3.1
- 9.4
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A path traversal vulnerability in fast-mcp-telegram, a Telegram MCP Server, allows a remote unauthenticated attacker to bypass reserved session name protection by embedding path separators in the HTTP Bearer token. The server joins the raw token string into a filesystem path without normalizing it first, so a crafted token such as ../fast-mcp-telegram/telegram resolves to the default legacy session file rather than being rejected. Successful exploitation gives the attacker full read and write access to the victim account's Telegram session, with limited service disruption risk. A patched rebuild at version 0.19.1 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images running any version of fast-mcp-telegram below 0.19.1, including custom-built images that bundle the library directly.
AvailableHarborGuard scores this finding at CVSS 9.4 Critical and applies per-environment compliance policy weighting to prioritize routing. Triage notifications are delivered to the inbox or ticketing integration configured for each customer organization.
AvailableNo upstream fix version has been published yet; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 0.19.1 or a later fix is released upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the fast-mcp-telegram HTTP server over the network; no local access is needed.
- AuthenticationNot required
No credentials or account are required; the crafted Bearer token is the attack payload itself, not a bypass of a valid credential check.
- Victim interactionNot required
The exploit is entirely server-side and completes without any action from a user or operator.
- Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to know or guess the default session file path, which is publicly documented.
Blast Radius
- The attacker authenticates as the default Telegram session and reads all messages, contacts, and media accessible to that account.
- The attacker can send messages, join or leave channels, and modify account settings, representing full write access to the Telegram account.
- With account-prefixed MCP tools enabled, the attacker can invoke any prefixed tool tied to the default account, extending reach to any downstream automation those tools control.
- Service availability is marginally affected (CVSS A:L); the session remains functional but may exhibit unexpected behavior from concurrent unauthorized use.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active and will flag any image containing fast-mcp-telegram below 0.19.1. Because no upstream fix version has been published at this time, HarborGuard monitors the advisory on every ingest cycle. The moment an upstream patch ships, a patched-image rebuild becomes available, and for customers with auto-remediation enabled the platform will trigger a rebuild, run regression tests, and open a PR against affected workloads automatically. In the interim, consider the following compensating controls: restrict network access to the fast-mcp-telegram HTTP port to trusted sources using network policy or firewall rules; place an authenticating reverse proxy in front of the MCP server to enforce token validation at the perimeter before requests reach the vulnerable path-join logic; and where operationally feasible, disable the HTTP multi-user session interface and rely exclusively on the stdio transport until the patch is applied.
- leshchenko1979 / fast-mcp-telegram< 0.19.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L