A critical security flaw has been discovered in the fast-mcp-telegram package that could allow remote attackers to access sensitive Telegram session data and perform unauthorized actions.
The vulnerability, tracked as CVE-2026-52830 , affects all versions up to 0.19.0 and has been fixed in version 0.19.1.
The issue stems from improper validation of HTTP Bearer tokens used for authentication. In fast-mcp-telegram, bearer tokens are used directly to construct file paths to session files.
While the application attempts to block the reserved session name “telegram,” it fails to sanitize or normalize user-supplied input properly. This oversight allows attackers to exploit path traversal techniques to bypass restrictions.
Fast-mcp-telegram Vulnerability
Specifically, the vulnerability allows attackers to supply crafted tokens such as “../fast-mcp-telegram/telegram,” which resolve to the default session file path on the server.
Although the exact token “telegram” is blocked, this traversal variant reaches the same file and is accepted by the system. As a result, an unauthenticated attacker can access the default Telegram session without a valid token.
This flaw becomes particularly dangerous in environments where the default session file exists, typically located at ~/.config/fast-mcp-telegram/telegram.session.
Once authenticated through this bypass, the attacker can interact with Telegram MCP tools associated with that account.
These actions may include reading messages, sending messages, invoking MTProto API calls, and accessing attachments exposed through the tool interface.
According to the GitHub Advisory Database, the vulnerability stems from a classic path traversal flaw combined with weak input validation.
The application does not restrict characters such as “/”, “..”, or absolute paths, nor does it verify whether the resolved file path stays within the intended directory.
As a result, the authentication boundary is effectively broken, allowing filesystem paths to dictate access-control decisions. Security researchers demonstrated the issue using a controlled proof-of-concept that confirmed the bypass.
The test showed that while legitimate tokens behave correctly and invalid paths are rejected, traversal-based tokens successfully authenticate and map to the protected default session.
Additionally, even though account-prefix controls remain in place, they do not mitigate the core authentication bypass.
To address the issue, developers are advised to enforce strict validation of bearer tokens. Tokens should be treated as opaque identifiers and limited to a safe character set, such as alphanumeric strings.
Applications should also normalize and securely resolve file paths, ensuring they remain within the designated session directory. Any tokens containing path traversal sequences or invalid characters must be rejected outright.
The maintainers have released version 0.19.1, and users are strongly urged to upgrade immediately to prevent potential exploitation, especially on deployments exposing HTTP authentication endpoints.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.

