CVE-2026-52830
leshchenko1979 · fast-mcp-telegram
A path traversal vulnerability in the fast-mcp-telegram MCP server allows remote attackers to bypass session authentication via malicious HTTP Bearer tokens.
Executive summary
The fast-mcp-telegram server is vulnerable to an authentication bypass attack that permits unauthorized access to legacy session data, posing a critical risk to system integrity.
Vulnerability
This vulnerability involves improper path validation during HTTP Bearer token processing, where an attacker can use path separators to traverse directories. This allows an unauthenticated remote user to authenticate as the default legacy session by manipulating the session-file path.
Business impact
Successful exploitation permits unauthorized access to Telegram session data and associated MCP tools. Given the high CVSS score of 9.4, this vulnerability could lead to significant unauthorized interaction with Telegram accounts, potentially resulting in data exfiltration or unauthorized command execution within the application context.
Remediation
Immediate Action: Upgrade to version 0.19.1 or later immediately to incorporate the necessary path normalization and validation logic.
Proactive Monitoring: Review server access logs for anomalous Bearer token strings containing path traversal characters such as "../" or unexpected session file references.
Compensating Controls: Implement strict network-level access controls to restrict access to the MCP server to known, trusted IP addresses until the patch is applied.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this flaw necessitates immediate attention. Administrators must prioritize updating the fast-mcp-telegram package to version 0.19.1 to eliminate the path traversal vector. Failure to remediate could allow attackers to hijack sessions and gain unauthorized control over managed Telegram accounts.