{
  "claim": {
    "argus_claim_ref": null,
    "attacker_control": "HTTP Bearer token string containing path traversal sequences such as ../fast-mcp-telegram/telegram",
    "claimed_surface": "api_remote",
    "expected_impact": "authz_bypass",
    "finding_id": null,
    "id": null,
    "required_entrypoint_detail": "HTTP Bearer token passed to SessionFileTokenVerifier.verify_token() in the fast-mcp-telegram MCP server",
    "required_entrypoint_kind": "authenticate",
    "submission_reason": "ticket_derived_llm",
    "trigger_class": "service_api",
    "upstream_verdicts": {
      "claim_extraction": {
        "confidence": "high",
        "model": "accounts/fireworks/models/kimi-k2p7-code",
        "reason": "The ticket describes a remote HTTP client sending a crafted Bearer token containing path traversal sequences to SessionFileTokenVerifier.verify_token(), which resolves to the default telegram.session file and authenticates the attacker as the default account, enabling unauthorized access to Telegram MCP tools.",
        "source": "llm"
      }
    }
  },
  "latest_description": "## Summary\nfast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path without normalizing or rejecting path separators. Although the exact reserved token `telegram` is blocked, traversal aliases (e.g., `../fast-mcp-telegram/telegram`) resolve to the same default session file and are accepted. A remote HTTP client can authenticate as the default legacy session when `~/.config/fast-mcp-telegram/telegram.session` exists, enabling access to Telegram MCP tools as that account.\n\n## Affected Package\n- **Package**: fast-mcp-telegram (pip)\n- **Vulnerable versions**: <= 0.19.0\n- **Patched version**: 0.19.1\n\n## Details\n`SessionFileTokenVerifier.verify_token()` rejects exact reserved names (e.g., `telegram`) but then builds `session_path = session_dir / f\"{token}.session\"` without validating path separators or resolving/normalizing the path. This allows tokens containing `../` to resolve to the reserved `telegram.session` file. The same path-building logic is used when creating the Telegram client. As a result, a traversal alias bypasses reserved session name protections and authenticates the attacker as the default account. The account-prefix middleware only prefixes tools after authentication, so it cannot prevent the session selection bypass.\n\n## Reproduction Steps\n> The GitHub advisory provides a proof script (`validation_token_traversal.py`) that creates stub session files and validates the traversal bypass. Use it to reproduce the issue without real Telegram credentials.\n\n1. Clone the repository and enter it:\n   ```bash\n   git clone https://github.com/leshchenko1979/fast-mcp-telegram.git\n   cd fast-mcp-telegram\n   ```\n2. Run the validation script provided in the advisory:\n   ```bash\n   python validation_token_traversal.py\n   ```\n   (The script creates a temporary session directory with `telegram.session`, initializes `SessionFileTokenVerifier`, and tests traversal tokens.)\n\n### Expected Behavior\n- The reserved token `telegram` is rejected.\n- Traversal aliases should be rejected or normalized to prevent path escape.\n\n### Vulnerable Behavior\n- A traversal token such as `../fast-mcp-telegram/telegram` is accepted and resolves to the default `telegram.session` file.\n- The client builder uses the default session file and exposes the default account’s prefixed tools.\n\n## Indicators of Success\nThe proof script reports values similar to:\n```json\n{\n  \"reserved_default_token_denied\": true,\n  \"normal_random_token_allowed\": true,\n  \"missing_traversal_token_denied\": true,\n  \"traversal_alias_to_reserved_default_allowed\": true,\n  \"client_builder_used_default_session_file\": true\n}\n```\nThe presence of `\"traversal_alias_to_reserved_default_allowed\": true` and `\"client_builder_used_default_session_file\": true` confirms the bypass.\n",
  "product": "pip:fast-mcp-telegram",
  "severity": "critical",
  "status": "open",
  "summary": "fast-mcp-telegram <=0.19.0 allows bearer token path traversal to authenticate as the default telegram.session, bypassing reserved session name protections and enabling unauthorized access to Telegram MCP tools.",
  "ticket_id": "CVE-2026-52830"
}