Description

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

INFO

Published Date :

2026-02-26T00:47:46.967Z

Last Modified :

2026-02-26T17:06:41.150Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27896 vulnerability.

Vendors Products
Lfprojects
  • Mcp Go Sdk
Modelcontextprotocol
  • Go-sdk
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27896.

URL Resource
https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0 cve-icon cve-icon cve-icon
https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-27896 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-27896 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact