CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-178",
        "CWE-436"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27896.json"
}

References

Affected packages

Git / github.com/modelcontextprotocol/go-sdk

Affected ranges

Type: GIT
Repo: https://github.com/modelcontextprotocol/go-sdk
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.5.0

v0.6.0

v0.7.0

v0.8.0

v1.*

v1.0.0

v1.1.0

v1.1.0-pre.1

v1.1.0-pre.2

v1.2.0

v1.2.0-pre.1

v1.2.0-pre.2

v1.3.0

v1.3.0-pre.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27896.json"