{
  "same_root_cause": true,
  "explanation": "Both the parent CVE and this variant rely on the same underlying bug: the bearer token is concatenated directly into a session file path without validating that it is a safe filename or normalizing the resulting path. The reserved-name check only compares the literal token string, so any relative-path alias (./telegram, ../fast-mcp-telegram/telegram, telegram/../telegram) bypasses the check and resolves to the same default telegram.session file.",
  "shared_sink": "SessionFileTokenVerifier.verify_token() in src/server_components/session_token_verifier.py (vulnerable 0.19.0); in 0.19.1 the equivalent sink is session_file_path() in src/server_components/session_token_validation.py.",
  "shared_entrypoint_family": "HTTP MCP endpoint /v1/mcp (and related HTTP auth surfaces) in http-auth mode",
  "trust_boundary": "Remote HTTP client sends a crafted Bearer token; the server uses it to select a local session file. The input crosses from untrusted network to trusted filesystem/session selection.",
  "evidence": [
    "vuln_variant/artifacts/http_vuln_dot_slash.txt (HTTP 200 for ./telegram)",
    "vuln_variant/artifacts/http_vuln_original.txt (HTTP 200 for ../fast-mcp-telegram/telegram)",
    "vuln_variant/artifacts/http_vuln_reserved.txt (HTTP 401 for literal telegram)",
    "vuln_variant/artifacts/http_fixed_dot_slash.txt (HTTP 401 on 0.19.1)",
    "vuln_variant/artifacts/http_fixed_original.txt (HTTP 401 on 0.19.1)"
  ]
}
