# CVE-2026-52830

## Summary

fast-mcp-telegram <=0.19.0 allows bearer token path traversal to authenticate as the default telegram.session, bypassing reserved session name protections and enabling unauthorized access to Telegram MCP tools.

## Description

## Summary
fast-mcp-telegram validates HTTP Bearer tokens by joining the raw token string into a session-file path without normalizing or rejecting path separators. Although the exact reserved token `telegram` is blocked, traversal aliases (e.g., `../fast-mcp-telegram/telegram`) resolve to the same default session file and are accepted. A remote HTTP client can authenticate as the default legacy session when `~/.config/fast-mcp-telegram/telegram.session` exists, enabling access to Telegram MCP tools as that account.

## Affected Package
- **Package**: fast-mcp-telegram (pip)
- **Vulnerable versions**: <= 0.19.0
- **Patched version**: 0.19.1

## Details
`SessionFileTokenVerifier.verify_token()` rejects exact reserved names (e.g., `telegram`) but then builds `session_path = session_dir / f"{token}.session"` without validating path separators or resolving/normalizing the path. This allows tokens containing `../` to resolve to the reserved `telegram.session` file. The same path-building logic is used when creating the Telegram client. As a result, a traversal alias bypasses reserved session name protections and authenticates the attacker as the default account. The account-prefix middleware only prefixes tools after authentication, so it cannot prevent the session selection bypass.

## Reproduction Steps
> The GitHub advisory provides a proof script (`validation_token_traversal.py`) that creates stub session files and validates the traversal bypass. Use it to reproduce the issue without real Telegram credentials.

1. Clone the repository and enter it:
   ```bash
   git clone https://github.com/leshchenko1979/fast-mcp-telegram.git
   cd fast-mcp-telegram
   ```
2. Run the validation script provided in the advisory:
   ```bash
   python validation_token_traversal.py
   ```
   (The script creates a temporary session directory with `telegram.session`, initializes `SessionFileTokenVerifier`, and tests traversal tokens.)

### Expected Behavior
- The reserved token `telegram` is rejected.
- Traversal aliases should be rejected or normalized to prevent path escape.

### Vulnerable Behavior
- A traversal token such as `../fast-mcp-telegram/telegram` is accepted and resolves to the default `telegram.session` file.
- The client builder uses the default session file and exposes the default account’s prefixed tools.

## Indicators of Success
The proof script reports values similar to:
```json
{
  "reserved_default_token_denied": true,
  "normal_random_token_allowed": true,
  "missing_traversal_token_denied": true,
  "traversal_alias_to_reserved_default_allowed": true,
  "client_builder_used_default_session_file": true
}
```
The presence of `"traversal_alias_to_reserved_default_allowed": true` and `"client_builder_used_default_session_file": true` confirms the bypass.


## Metadata

- Product: pip:fast-mcp-telegram
- Severity: critical
- Status: open
