fast-mcp-telegram Vulnerability Lets Attackers Access Default Telegram Sessions
A critical vulnerability in fast-mcp-telegram can let a remote attacker bypass bearer-token authentication and access a default Telegram account session without knowing the correct token.
The flaw is tracked as CVE-2026-52830. The GitHub Advisory Database says the issue affects fast-mcp-telegram versions up to and including 0.19.0, and that version 0.19.1 fixes the vulnerability.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The problem affects deployments using HTTP authentication where the default legacy session file exists. According to the NVD entry, a crafted bearer token can reach the documented default session file and authenticate the attacker as that Telegram account.
What is fast-mcp-telegram?
fast-mcp-telegram is a Telegram MCP server that connects AI agents or clients to Telegram through MCP and HTTP transports. It bridges requests to Telegramโs MTProto API and exposes tools for messaging, search, attachments, chat discovery, and direct API calls.
The packageโs PyPI page describes it as a multi-tenant Telegram gateway for AI agents, with HTTP and stdio transport support. In HTTP-auth deployments, bearer tokens help map remote requests to the correct Telegram session.
That design makes authentication especially important. If a token can be turned into a filesystem path, the authentication boundary can collapse from โprove you know a secret tokenโ into โguess a path that reaches a session file.โ
| Item | Details |
|---|---|
| CVE | CVE-2026-52830 |
| Package | fast-mcp-telegram |
| Ecosystem | PyPI |
| Affected versions | All versions before 0.19.1 |
| Fixed version | 0.19.1 and later |
| Severity | Critical |
| CVSS 3.1 score | 9.4 |
| Main impact | Authentication bypass to the default Telegram session |
How the token path traversal works
The vulnerable authentication logic joins the raw HTTP bearer token into a session-file path. It blocks the exact reserved token name โtelegram,โ but it does not properly block path separators, traversal sequences, or paths that resolve outside the intended token namespace.
That allows a token such as โ../fast-mcp-telegram/telegramโ to resolve to the same default session file that the reserved โtelegramโ name was meant to protect. If the file exists, the server accepts the traversal-based token as a valid session.
The GitHub advisory says the default session path is ~/.config/fast-mcp-telegram/telegram.session. The exact reserved token is rejected, but the traversal alias can still reach the same file.
- A remote client sends a crafted HTTP bearer token.
- The server appends the token to the configured session directory.
- The token contains path traversal segments.
- The resolved path reaches the default Telegram session file.
- The server treats the session file as proof of authentication.
- The attacker can call Telegram MCP tools as the default account.
What attackers could do after bypassing authentication
The impact depends on what the exposed fast-mcp-telegram server can access. If the default Telegram session belongs to a real user or bot, the attacker may be able to interact with Telegram through that account.
The CVE-2026-52830 record says an attacker can call Telegram MCP tools for the default account, including message reading, message sending, MTProto API calls, and attachment-producing tool surfaces available to the session.
This does not mean the bug gives blanket access to every file on the server. The confirmed vulnerability is an authentication bypass that uses path traversal to select the protected default Telegram session.
- Read Telegram messages exposed through the configured tools.
- Send Telegram messages as the compromised session.
- Invoke supported MTProto API calls.
- Access attachments or file-producing tool surfaces exposed to the session.
- Abuse the accountโs Telegram identity for follow-on attacks.
Why the flaw is rated critical
GitHub assigns the vulnerability a CVSS 3.1 score of 9.4, with network attack vector, low attack complexity, no privileges required, and no user interaction required.
The issue maps to both path traversal and improper authentication. The GitLab Advisory Database also lists the flaw as critical and identifies all versions before 0.19.1 as affected.
Because the vulnerable server exposes Telegram account actions over HTTP, a successful attack can affect confidentiality and integrity. Availability impact is listed as lower, but the account-level consequences can still be serious.
| CVSS field | Value | Meaning |
|---|---|---|
| Attack vector | Network | The attacker can reach the vulnerable endpoint remotely |
| Attack complexity | Low | The attack does not require difficult conditions |
| Privileges required | None | No valid token is needed |
| User interaction | None | No victim click or approval is required |
| Confidentiality impact | High | Messages and session-accessible data may be exposed |
| Integrity impact | High | Attackers may send messages or invoke actions |
| Availability impact | Low | Service disruption is not the primary impact |
Account prefixes do not stop the bypass
fast-mcp-telegram supports account-prefixed MCP tools, which can help separate tool names across multiple Telegram accounts. However, that control runs after authentication.
Once the traversal token is accepted as a valid session, the prefix middleware exposes the prefixed tools for the default account. It can still block unprefixed calls in some cases, but it cannot restore the lost session-selection boundary.
The GitLab advisory confirms this distinction: account-prefixed tools remain visible and callable for the default account after traversal authentication, so the prefix middleware does not stop the session selection bypass.
Who is most exposed?
The highest-risk deployments are fast-mcp-telegram servers that expose HTTP authentication to untrusted clients and still have the default telegram.session file in the documented configuration path.
Local stdio-only use is less exposed because the attack requires a remote HTTP client reaching the authentication flow. Still, developers should upgrade because projects often move from local testing to remote deployment over time.
The fast-mcp-telegram package listing shows that newer releases are available after the 0.19.1 fix. Users should install a current version rather than staying on a vulnerable build.
- HTTP-auth deployments exposed to the internet or shared networks face the highest risk.
- Servers with the default telegram.session file are the key target condition.
- Multi-user deployments are more sensitive because token isolation matters more.
- Local-only stdio setups have lower remote exposure but should still update.
- Any deployment using Telegram accounts with sensitive chats or privileges needs priority review.
How developers fixed the issue
The right fix is to treat bearer tokens as opaque identifiers, not filesystem paths. A token should prove possession of a generated secret, not describe where a session file lives.
The vulnerability maps to improper authentication because the server accepted a path-derived token as proof of identity. It also maps to path traversal because the token could contain โ..โ segments and separators that changed the final session-file path.
In practice, secure implementations should reject unsafe token characters, normalize paths before use, and confirm that resolved session files remain directly inside the intended session directory.
- Allow only a strict token character set, such as generated URL-safe random identifiers.
- Reject slashes, backslashes, dot segments, empty path segments, and absolute paths.
- Resolve the final path and require it to stay inside the configured session directory.
- Apply the same validation across header auth, URL auth, setup flows, cleanup logic, and session opening code.
- Add regression tests for traversal aliases, reserved names, Windows separators, absolute paths, and valid generated tokens.
What users should do now
Users should upgrade fast-mcp-telegram to version 0.19.1 or later immediately. Teams should also check whether any remote deployments expose HTTP-auth endpoints to the internet or to untrusted internal networks.
After updating, administrators should rotate bearer tokens and review the Telegram session files present on the server. If the vulnerable service was exposed, treat the default Telegram account session as potentially accessed.
The main lesson is simple: session tokens should not double as file paths. In MCP servers, where tool calls can read messages, send data, and invoke external APIs, small authentication mistakes can quickly become account-level compromises.
FAQ
CVE-2026-52830 is a critical fast-mcp-telegram vulnerability that lets a remote HTTP client bypass bearer-token authentication through path traversal and access the default Telegram session when the default session file exists.
All fast-mcp-telegram versions before 0.19.1 are affected. The vulnerability is fixed in version 0.19.1 and later releases.
If the default Telegram session file exists and the HTTP-auth endpoint is reachable, attackers can authenticate as the default Telegram account and use exposed MCP tools to read messages, send messages, invoke MTProto API calls, and access available attachment surfaces.
No. Account-prefix middleware runs after authentication. Once the traversal token is accepted as a valid session, prefixed tools for the default account can still be visible and callable.
Users should upgrade to fast-mcp-telegram 0.19.1 or later, rotate bearer tokens, review exposed HTTP-auth deployments, and treat the default Telegram session as potentially compromised if the vulnerable server was reachable by untrusted clients.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages