fast-mcp-telegram Critical Flaw Lets Attackers Bypass Bearer Token Authentication
ID: ef5b5d5a-6995-5fcd-83ac-3327ccc0ecd7
STIX ID: report--ef5b5d5a-6995-5fcd-83ac-3327ccc0ecd7
Feed Name: Cyber Press
Threat Score
A critical path-traversal flaw in fast-mcp-telegram lets an attacker submit traversal-style Bearer tokens (for example `../fast-mcp-telegram/telegram`) that resolve to the default `telegram.session` file and bypass token authentication, enabling full impersonation of the linked Telegram account. The issue affects versions up to 0.19.0 and is fixed in 0.19.1; operators should upgrade immediately or remove/relocate any default `telegram.session` file as a temporary mitigation.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
