overpod/mcp-telegram

v1.7.0 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 2mo MCP SaaS Integrations

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

ai-tools claude gramjs mcp mcp-server model-context-protocol

+4 more

mtproto telegram typescript userbot

Affected surfaces

auth

Summary

AI summary

Session files now use strict 0o600 permissions and base64 validation, with automatic migration of existing sessions.

Full changelog

Security

Session file permissions — now written with 0o600 (owner-only read/write), directory with 0o700
Session validation — base64 format check before loading session strings

Features

Configurable session path — via constructor options.sessionPath, env TELEGRAM_SESSION_PATH, or default ~/.mcp-telegram/session
Auto-migration — existing sessions in legacy location (package root) are automatically moved to the new secure path

Breaking Changes

None — fully backward compatible. Existing sessions are auto-migrated.

Full Changelog: https://github.com/overpod/mcp-telegram/compare/v1.6.0...v1.7.0

Security Fixes

Session files now written with owner‑only permissions (0o600) and directories with 0o700; base64 format validation added before loading session strings

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track overpod/mcp-telegram

Get notified when new releases ship.

About overpod/mcp-telegram

Telegram MCP server via MTProto/GramJS — 20 tools for reading chats, searching messages, downloading media, managing contacts. QR code login, npx zero-install. Hosted version at mcp-telegram.com.

All releases →