CVE-2026-52830 — fast-mcp-telegram Path Traversal Bypasses Session Protection
AI relevance: MCP servers bridge AI agents to external services — a session bypass in an MCP server means an attacker can impersonate the agent operator and invoke tools bound to the default account, including messaging, file access, and credential stores.
- CVE-2026-52830 (CVSS 9.4, Critical) affects
fast-mcp-telegram, a Telegram MCP Server published on PyPI. The flaw was disclosed July 2, 2026. - The server validates HTTP Bearer tokens by joining the raw token string directly into a session-file path without sanitizing path separators like
../. - The reserved session name
telegramis explicitly blocked, but the check does not normalize paths — so a token like../fast-mcp-telegram/telegramtraverses to the default legacy session file at~/.config/fast-mcp-telegram/telegram.session. - If that file exists, the server authenticates the attacker as the default legacy session, granting full access to the operator's Telegram account and all MCP tools bound to it.
- Even with account-prefixed MCP tools enabled, the prefix middleware does not prevent session selection bypass — the attacker still calls tools associated with the default account.
- Exploitation requires no prior authentication and no user interaction — only network access to the MCP server's HTTP endpoint.
- The vulnerability affects all versions prior to 0.19.1. The fix normalizes paths and rejects traversal sequences before session file lookup.
- This is the latest in a string of MCP server vulnerabilities exposing the protocol's growing attack surface — following CVE-2026-50143 (Apify MCP token leak), CVE-2026-40933 (Flowise MCP stdio RCE), and CVE-2026-10690 (DesktopCommander SSRF).
Why it matters
MCP servers are the connective tissue between AI agents and external services. They hold session tokens, API keys, and user credentials. A path traversal that bypasses session authentication gives an attacker the agent operator's identity — and with it, every tool the operator has authorized. As MCP adoption accelerates, these servers become high-value targets, and basic input validation flaws like this remain shockingly common.
What to do
- Upgrade
fast-mcp-telegramto version 0.19.1 or newer immediately. - Audit any MCP server that constructs file paths from user-supplied input — ensure path normalization and traversal rejection before filesystem access.
- Do not expose MCP server HTTP endpoints to the public internet. Use network-level access controls and authentication proxies.
- Review MCP server logs for anomalous Bearer token values containing
../sequences — this indicates active exploitation attempts.