Improper Authentication in Telegram MCP Server by Leshchenko
CVE-2026-52830

9.4CRITICAL

Key Information:

Vendor
CVE Published:
2 July 2026

What is CVE-2026-52830?

The fast-mcp-telegram application, prior to version 0.19.1, contains an improper authentication vulnerability that allows a remote HTTP client to authenticate as the default legacy session. This occurs because the application inadequately handles HTTP Bearer tokens by substituting the token string into a session file path without proper validation. Specifically, the application rejects certain reserved tokens but fails to sanitize the path for separators, leading to potential bypass of session controls. This can result in session collision with default accounts, enabling unauthorized access to prefixed tools associated with these accounts. This vulnerability has been addressed in the latest release.

Affected Version(s)

fast-mcp-telegram < 0.19.1

References

CVSS V3.1

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.