CVE-2026-52830 — fast-mcp-telegram Path Traversal Bypasses Session Protection

AI relevance: MCP servers bridge AI agents to external services — a session bypass in an MCP server means an attacker can impersonate the agent operator and invoke tools bound to the default account, including messaging, file access, and credential stores.

  • CVE-2026-52830 (CVSS 9.4, Critical) affects fast-mcp-telegram, a Telegram MCP Server published on PyPI. The flaw was disclosed July 2, 2026.
  • The server validates HTTP Bearer tokens by joining the raw token string directly into a session-file path without sanitizing path separators like ../.
  • The reserved session name telegram is explicitly blocked, but the check does not normalize paths — so a token like ../fast-mcp-telegram/telegram traverses to the default legacy session file at ~/.config/fast-mcp-telegram/telegram.session.
  • If that file exists, the server authenticates the attacker as the default legacy session, granting full access to the operator's Telegram account and all MCP tools bound to it.
  • Even with account-prefixed MCP tools enabled, the prefix middleware does not prevent session selection bypass — the attacker still calls tools associated with the default account.
  • Exploitation requires no prior authentication and no user interaction — only network access to the MCP server's HTTP endpoint.
  • The vulnerability affects all versions prior to 0.19.1. The fix normalizes paths and rejects traversal sequences before session file lookup.
  • This is the latest in a string of MCP server vulnerabilities exposing the protocol's growing attack surface — following CVE-2026-50143 (Apify MCP token leak), CVE-2026-40933 (Flowise MCP stdio RCE), and CVE-2026-10690 (DesktopCommander SSRF).

Why it matters

MCP servers are the connective tissue between AI agents and external services. They hold session tokens, API keys, and user credentials. A path traversal that bypasses session authentication gives an attacker the agent operator's identity — and with it, every tool the operator has authorized. As MCP adoption accelerates, these servers become high-value targets, and basic input validation flaws like this remain shockingly common.

What to do

  • Upgrade fast-mcp-telegram to version 0.19.1 or newer immediately.
  • Audit any MCP server that constructs file paths from user-supplied input — ensure path normalization and traversal rejection before filesystem access.
  • Do not expose MCP server HTTP endpoints to the public internet. Use network-level access controls and authentication proxies.
  • Review MCP server logs for anomalous Bearer token values containing ../ sequences — this indicates active exploitation attempts.

Sources