logo

fast-mcp-telegram Critical Flaw Lets Attackers Bypass Bearer Token Authentication

ID: ef5b5d5a-6995-5fcd-83ac-3327ccc0ecd7

STIX ID: report--ef5b5d5a-6995-5fcd-83ac-3327ccc0ecd7

Feed Name: Cyber Press

Threat Score
70/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Lucas Martin

...
...

A critical path-traversal flaw in fast-mcp-telegram lets an attacker submit traversal-style Bearer tokens (for example `../fast-mcp-telegram/telegram`) that resolve to the default `telegram.session` file and bypass token authentication, enabling full impersonation of the linked Telegram account. The issue affects versions up to 0.19.0 and is fixed in 0.19.1; operators should upgrade immediately or remove/relocate any default `telegram.session` file as a temporary mitigation.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.