Executive Summary
A critical path traversal vulnerability in fast-mcp-telegram, an open-source Telegram MCP (Model Context Protocol) Server, allows attackers to bypass HTTP Bearer token authentication and read arbitrary session files from the server. Assigned CVE-2026-52830 and rated CVSS 9.4, the flaw was patched in version 0.19.1.
Vulnerability Details
| Field | Details |
|---|---|
| CVE | CVE-2026-52830 |
| CVSS | 9.4 (Critical) |
| Type | Path Traversal / Authentication Bypass |
| Component | HTTP Bearer token verification in fast-mcp-telegram |
| Authentication | None required (unauthenticated attacker) |
| Affected | fast-mcp-telegram < 0.19.1 |
| Fixed | fast-mcp-telegram 0.19.1 |
Technical Analysis
The vulnerability exists in the HTTP Bearer token verification routine of fast-mcp-telegram. When a request arrives, the server joins the raw token string directly into a session-file path to locate the corresponding session. The verifier correctly rejects the exact reserved token telegram, but it does not reject path separators (e.g., ../) or normalize the path before performing the check.
Attack Scenario
An attacker supplies a crafted Bearer token containing path traversal sequences such as ../../etc/passwd or ../sessions/victim-session-token. Because the raw token is concatenated into the path without sanitization, the server constructs a traversed file path, reads the file, and processes it as a valid session — effectively bypassing authentication and exposing file contents that may include active session credentials.
Root Cause
token = request.headers["Authorization"].split("Bearer ")[1]
session_path = os.path.join(sessions_dir, token) # No normalization
if os.path.exists(session_path): # Traversal succeeds
load_session(session_path)
The missing os.path.realpath() or os.path.abspath() normalization, combined with an absence of a prefix check against the sessions directory, creates the exploitable condition.
Impact
- Authentication bypass: An unauthenticated network attacker can forge session identities.
- Arbitrary file read: Session files — which contain Telegram credentials and active session data — can be extracted.
- Account takeover: Stolen session tokens allow full control of the authenticated Telegram account used by the MCP server.
- MCP agent compromise: In agentic deployments, a compromised Telegram MCP could pivot to connected AI systems and downstream tools.
Affected Versions
| Package | Affected | Fixed |
|---|---|---|
| fast-mcp-telegram (PyPI) | < 0.19.1 | 0.19.1 |
Remediation
Immediate Action
Upgrade to fast-mcp-telegram 0.19.1 or later.
pip install --upgrade fast-mcp-telegramMitigations If You Cannot Patch Immediately
- Restrict network access — Place the MCP server behind a firewall or VPN; do not expose it directly to the internet.
- Rotate Telegram session credentials — Assume any active session may have been compromised if the server was internet-accessible.
- Audit logs — Review server access logs for unusual Bearer tokens containing
..sequences.
Detection
Look for Bearer tokens in server logs that contain path traversal sequences:
../
..\
%2e%2e%2f
%2e%2e/
..%2f
Monitor for file access outside the sessions directory using auditd or eBPF-based tools.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Confidentiality / Integrity / Availability: High
If you are running fast-mcp-telegram in any AI agent or automation pipeline, update immediately and rotate all Telegram session credentials. Path traversal in MCP servers is particularly dangerous due to the privileged access these servers hold on behalf of AI agents.