What happened
CVE-2026-52830 (CVSS 9.4 Critical) was published to NVD on 2 July 2026. The fast-mcp-telegram Telegram MCP Server before 0.19.1 validates HTTP Bearer tokens by joining the raw token directly into a session-file filesystem path. The verifier only rejects the exact string 'telegram' as a reserved token; it does not normalise or sanitise path separators. An attacker can therefore craft a token containing directory traversal sequences to point the path check at an attacker-controlled file, bypassing authentication and gaining full access to the MCP server's capabilities.
Why it matters
MCP servers are privileged tool surfaces that AI agents call to take actions in external systems. Authentication bypass at the MCP transport layer allows an unauthenticated attacker to issue arbitrary tool calls as if they were a legitimately authenticated AI agent, potentially accessing Telegram accounts, exfiltrating messages, or using the MCP server as a pivot point into connected agent workflows.
Attack vector
An unauthenticated remote attacker supplies an HTTP Bearer token containing path separator characters (e.g. '../'). The verifier rejects only the exact reserved token string 'telegram' but does not normalise the path or strip traversal sequences before checking, allowing the attacker to reference an arbitrary session file they control and impersonate an authenticated session.
Affected systems
fast-mcp-telegram (Telegram MCP Server) < 0.19.1
Mitigation
Upgrade fast-mcp-telegram to version 0.19.1 or later. Primary advisory: https://github.com/advisories/GHSA-rxw2-pc8j-vxwm