HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-52830Published Modified CNA GitHub_M

CVE-2026-52830: fast-mcp-telegram: Bearer token path traversal bypasses reserved Telegram session protection

fast-mcp-telegram is a Telegram MCP Server. Prior to 0.19.1, fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path. The verifier rejects the exact reserved token telegram, but it does not reject path separators or normalize the path before checking whether the session file exists. A remote HTTP client can therefore authenticate as the default legacy session with a token such as ../fast-mcp-telegram/telegram when the documented default session file ~/.config/fast-mcp-telegram/telegram.session exists. This bypasses the reserved session name control that is intended to prevent HTTP multi-user sessions from colliding with the default stdio or legacy account. With account-prefixed MCP tools enabled, the attacker still sees and calls the prefixed tools for the default account, so the prefix middleware does not stop the session selection bypass. This vulnerability is fixed in 0.19.1.

Metrics

CVSS v3.1
9.4
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in fast-mcp-telegram, a Telegram MCP Server, allows a remote unauthenticated attacker to bypass reserved session name protection by embedding path separators in the HTTP Bearer token. The server joins the raw token string into a filesystem path without normalizing it first, so a crafted token such as ../fast-mcp-telegram/telegram resolves to the default legacy session file rather than being rejected. Successful exploitation gives the attacker full read and write access to the victim account's Telegram session, with limited service disruption risk. A patched rebuild at version 0.19.1 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images running any version of fast-mcp-telegram below 0.19.1, including custom-built images that bundle the library directly.

Available
Triage

HarborGuard scores this finding at CVSS 9.4 Critical and applies per-environment compliance policy weighting to prioritize routing. Triage notifications are delivered to the inbox or ticketing integration configured for each customer organization.

Available
Patch

No upstream fix version has been published yet; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 0.19.1 or a later fix is released upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the fast-mcp-telegram HTTP server over the network; no local access is needed.

  • AuthenticationNot required

    No credentials or account are required; the crafted Bearer token is the attack payload itself, not a bypass of a valid credential check.

  • Victim interactionNot required

    The exploit is entirely server-side and completes without any action from a user or operator.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker only needs to know or guess the default session file path, which is publicly documented.

Blast Radius

  • The attacker authenticates as the default Telegram session and reads all messages, contacts, and media accessible to that account.
  • The attacker can send messages, join or leave channels, and modify account settings, representing full write access to the Telegram account.
  • With account-prefixed MCP tools enabled, the attacker can invoke any prefixed tool tied to the default account, extending reach to any downstream automation those tools control.
  • Service availability is marginally affected (CVSS A:L); the session remains functional but may exhibit unexpected behavior from concurrent unauthorized use.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and will flag any image containing fast-mcp-telegram below 0.19.1. Because no upstream fix version has been published at this time, HarborGuard monitors the advisory on every ingest cycle. The moment an upstream patch ships, a patched-image rebuild becomes available, and for customers with auto-remediation enabled the platform will trigger a rebuild, run regression tests, and open a PR against affected workloads automatically. In the interim, consider the following compensating controls: restrict network access to the fast-mcp-telegram HTTP port to trusted sources using network policy or firewall rules; place an authenticating reverse proxy in front of the MCP server to enforce token validation at the perimeter before requests reach the vulnerable path-join logic; and where operationally feasible, disable the HTTP multi-user session interface and rely exclusively on the stdio transport until the patch is applied.

See how HarborGuard automates this
Affected packages
  • leshchenko1979 / fast-mcp-telegram
    < 0.19.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L