What happened
CVE-2026-52830 (CVSS 9.4 Critical, published 2026-07-02) affects fast-mcp-telegram, a Telegram MCP Server, prior to version 0.19.1. The server validates HTTP Bearer tokens by joining the raw token string directly into a session-file path without normalising path separators. The verifier rejects the exact reserved token 'telegram' but does not reject path traversal sequences. A remote unauthenticated attacker can send a crafted token such as '../fast-mcp-telegram/telegram' that resolves to the default legacy session file (~/.config/fast-mcp-telegram/telegram.session), bypassing session isolation and authenticating as the legacy Telegram account. With account-prefixed MCP tools enabled, the attacker gains full access to all MCP tools exposed for that Telegram session.
Why it matters
Telegram MCP servers bridge AI agents to Telegram accounts with full message read/write permissions. Authentication bypass means an unauthenticated remote attacker can invoke all MCP tools on behalf of the victim's Telegram account — reading private messages, sending messages, accessing group chats, and exfiltrating contact data. In agentic workflows where Telegram is used for notifications, approvals, or command-and-control, this represents a complete account takeover of the AI agent's communication channel.
Attack vector
Unauthenticated HTTP request with a path-traversal Bearer token (e.g. '../fast-mcp-telegram/telegram') causes the server to resolve to the default session file, granting full MCP tool access over the victim's Telegram account.
Affected systems
fast-mcp-telegram < 0.19.1
Mitigation
Upgrade fast-mcp-telegram to version 0.19.1 or later. GitHub advisory: https://github.com/advisories/GHSA-rxw2-pc8j-vxwm