2442903 – (CVE-2026-27896) CVE-2026-27896 modelcontextprotocol/go-sdk: improper handling of case sensitivity

Bug 2442903 (CVE-2026-27896) - CVE-2026-27896 modelcontextprotocol/go-sdk: improper handling of case sensitivity

Summary: CVE-2026-27896 modelcontextprotocol/go-sdk: improper handling of case sensiti...

Keywords:
Status:	NEW
Alias:	CVE-2026-27896
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-26 01:02 UTC by OSIDB Bzimport
Modified:	2026-02-26 18:25 UTC (History)
CC List:	23 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-26 01:02:02 UTC

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

Note You need to log in before you can comment on or make changes to this bug.

anpicker
bparees
dfreiber
dhanak
drosa
drow
dsimansk
hasun
jburrell
jfula
jkoehler
jowilson
kingland
kverlaen
lphiri
mnovotny
nyancey
ometelka
ptisnovs
sausingh
syedriko
vkumar
xdharmai