fast-mcp-telegram Vulnerability Lets Attackers Access Default Telegram Sessions


A critical vulnerability in fast-mcp-telegram can let a remote attacker bypass bearer-token authentication and access a default Telegram account session without knowing the correct token.

The flaw is tracked as CVE-2026-52830. The GitHub Advisory Database says the issue affects fast-mcp-telegram versions up to and including 0.19.0, and that version 0.19.1 fixes the vulnerability.

The problem affects deployments using HTTP authentication where the default legacy session file exists. According to the NVD entry, a crafted bearer token can reach the documented default session file and authenticate the attacker as that Telegram account.

What is fast-mcp-telegram?

fast-mcp-telegram is a Telegram MCP server that connects AI agents or clients to Telegram through MCP and HTTP transports. It bridges requests to Telegramโ€™s MTProto API and exposes tools for messaging, search, attachments, chat discovery, and direct API calls.

The packageโ€™s PyPI page describes it as a multi-tenant Telegram gateway for AI agents, with HTTP and stdio transport support. In HTTP-auth deployments, bearer tokens help map remote requests to the correct Telegram session.

That design makes authentication especially important. If a token can be turned into a filesystem path, the authentication boundary can collapse from โ€œprove you know a secret tokenโ€ into โ€œguess a path that reaches a session file.โ€

ItemDetails
CVECVE-2026-52830
Packagefast-mcp-telegram
EcosystemPyPI
Affected versionsAll versions before 0.19.1
Fixed version0.19.1 and later
SeverityCritical
CVSS 3.1 score9.4
Main impactAuthentication bypass to the default Telegram session

How the token path traversal works

The vulnerable authentication logic joins the raw HTTP bearer token into a session-file path. It blocks the exact reserved token name โ€œtelegram,โ€ but it does not properly block path separators, traversal sequences, or paths that resolve outside the intended token namespace.

That allows a token such as โ€œ../fast-mcp-telegram/telegramโ€ to resolve to the same default session file that the reserved โ€œtelegramโ€ name was meant to protect. If the file exists, the server accepts the traversal-based token as a valid session.

The GitHub advisory says the default session path is ~/.config/fast-mcp-telegram/telegram.session. The exact reserved token is rejected, but the traversal alias can still reach the same file.

  1. A remote client sends a crafted HTTP bearer token.
  2. The server appends the token to the configured session directory.
  3. The token contains path traversal segments.
  4. The resolved path reaches the default Telegram session file.
  5. The server treats the session file as proof of authentication.
  6. The attacker can call Telegram MCP tools as the default account.

What attackers could do after bypassing authentication

The impact depends on what the exposed fast-mcp-telegram server can access. If the default Telegram session belongs to a real user or bot, the attacker may be able to interact with Telegram through that account.

The CVE-2026-52830 record says an attacker can call Telegram MCP tools for the default account, including message reading, message sending, MTProto API calls, and attachment-producing tool surfaces available to the session.

This does not mean the bug gives blanket access to every file on the server. The confirmed vulnerability is an authentication bypass that uses path traversal to select the protected default Telegram session.

  • Read Telegram messages exposed through the configured tools.
  • Send Telegram messages as the compromised session.
  • Invoke supported MTProto API calls.
  • Access attachments or file-producing tool surfaces exposed to the session.
  • Abuse the accountโ€™s Telegram identity for follow-on attacks.

Why the flaw is rated critical

GitHub assigns the vulnerability a CVSS 3.1 score of 9.4, with network attack vector, low attack complexity, no privileges required, and no user interaction required.

The issue maps to both path traversal and improper authentication. The GitLab Advisory Database also lists the flaw as critical and identifies all versions before 0.19.1 as affected.

Because the vulnerable server exposes Telegram account actions over HTTP, a successful attack can affect confidentiality and integrity. Availability impact is listed as lower, but the account-level consequences can still be serious.

CVSS fieldValueMeaning
Attack vectorNetworkThe attacker can reach the vulnerable endpoint remotely
Attack complexityLowThe attack does not require difficult conditions
Privileges requiredNoneNo valid token is needed
User interactionNoneNo victim click or approval is required
Confidentiality impactHighMessages and session-accessible data may be exposed
Integrity impactHighAttackers may send messages or invoke actions
Availability impactLowService disruption is not the primary impact

Account prefixes do not stop the bypass

fast-mcp-telegram supports account-prefixed MCP tools, which can help separate tool names across multiple Telegram accounts. However, that control runs after authentication.

Once the traversal token is accepted as a valid session, the prefix middleware exposes the prefixed tools for the default account. It can still block unprefixed calls in some cases, but it cannot restore the lost session-selection boundary.

The GitLab advisory confirms this distinction: account-prefixed tools remain visible and callable for the default account after traversal authentication, so the prefix middleware does not stop the session selection bypass.

Who is most exposed?

The highest-risk deployments are fast-mcp-telegram servers that expose HTTP authentication to untrusted clients and still have the default telegram.session file in the documented configuration path.

Local stdio-only use is less exposed because the attack requires a remote HTTP client reaching the authentication flow. Still, developers should upgrade because projects often move from local testing to remote deployment over time.

The fast-mcp-telegram package listing shows that newer releases are available after the 0.19.1 fix. Users should install a current version rather than staying on a vulnerable build.

  • HTTP-auth deployments exposed to the internet or shared networks face the highest risk.
  • Servers with the default telegram.session file are the key target condition.
  • Multi-user deployments are more sensitive because token isolation matters more.
  • Local-only stdio setups have lower remote exposure but should still update.
  • Any deployment using Telegram accounts with sensitive chats or privileges needs priority review.

How developers fixed the issue

The right fix is to treat bearer tokens as opaque identifiers, not filesystem paths. A token should prove possession of a generated secret, not describe where a session file lives.

The vulnerability maps to improper authentication because the server accepted a path-derived token as proof of identity. It also maps to path traversal because the token could contain โ€œ..โ€ segments and separators that changed the final session-file path.

In practice, secure implementations should reject unsafe token characters, normalize paths before use, and confirm that resolved session files remain directly inside the intended session directory.

  1. Allow only a strict token character set, such as generated URL-safe random identifiers.
  2. Reject slashes, backslashes, dot segments, empty path segments, and absolute paths.
  3. Resolve the final path and require it to stay inside the configured session directory.
  4. Apply the same validation across header auth, URL auth, setup flows, cleanup logic, and session opening code.
  5. Add regression tests for traversal aliases, reserved names, Windows separators, absolute paths, and valid generated tokens.

What users should do now

Users should upgrade fast-mcp-telegram to version 0.19.1 or later immediately. Teams should also check whether any remote deployments expose HTTP-auth endpoints to the internet or to untrusted internal networks.

After updating, administrators should rotate bearer tokens and review the Telegram session files present on the server. If the vulnerable service was exposed, treat the default Telegram account session as potentially accessed.

The main lesson is simple: session tokens should not double as file paths. In MCP servers, where tool calls can read messages, send data, and invoke external APIs, small authentication mistakes can quickly become account-level compromises.

FAQ

What is CVE-2026-52830?

CVE-2026-52830 is a critical fast-mcp-telegram vulnerability that lets a remote HTTP client bypass bearer-token authentication through path traversal and access the default Telegram session when the default session file exists.

Which fast-mcp-telegram versions are affected?

All fast-mcp-telegram versions before 0.19.1 are affected. The vulnerability is fixed in version 0.19.1 and later releases.

What can attackers do with this vulnerability?

If the default Telegram session file exists and the HTTP-auth endpoint is reachable, attackers can authenticate as the default Telegram account and use exposed MCP tools to read messages, send messages, invoke MTProto API calls, and access available attachment surfaces.

Does account-prefix middleware stop CVE-2026-52830?

No. Account-prefix middleware runs after authentication. Once the traversal token is accepted as a valid session, prefixed tools for the default account can still be visible and callable.

How can users fix the fast-mcp-telegram vulnerability?

Users should upgrade to fast-mcp-telegram 0.19.1 or later, rotate bearer tokens, review exposed HTTP-auth deployments, and treat the default Telegram session as potentially compromised if the vulnerable server was reachable by untrusted clients.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages