Improper Authentication in Telegram MCP Server by Leshchenko
CVE-2026-52830
9.4CRITICAL
What is CVE-2026-52830?
The fast-mcp-telegram application, prior to version 0.19.1, contains an improper authentication vulnerability that allows a remote HTTP client to authenticate as the default legacy session. This occurs because the application inadequately handles HTTP Bearer tokens by substituting the token string into a session file path without proper validation. Specifically, the application rejects certain reserved tokens but fails to sanitize the path for separators, leading to potential bypass of session controls. This can result in session collision with default accounts, enabling unauthorized access to prefixed tools associated with these accounts. This vulnerability has been addressed in the latest release.
Affected Version(s)
fast-mcp-telegram < 0.19.1
