Case Sensitivity Issue in Go MCP SDK by Model Context Protocol
CVE-2026-27896

7HIGH

Key Information:

Vendor: Modelcontextprotocol
Status: Go-sdk
Vendor: CVE Published:; 26 February 2026

🔔 Create Modelcontextprotocol Vulnerability Alert

What is CVE-2026-27896?

The Go MCP SDK prior to version 1.3.1 exhibited a significant vulnerability stemming from its reliance on Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing, which permits case-insensitive matching of JSON keys. This implementation flaw posed a risk of accepting protocol messages with non-standard field casings, potentially allowing malicious entities to bypass protocol validation checks. This behavior conflicted with the JSON-RPC 2.0 specification that mandates precise field naming. To address this vulnerability, an update to version 1.3.1 introduced a case-sensitive decoder, ensuring compliance and enhanced security against intermediary inspection evasion.

Affected Version(s)

go-sdk < 1.3.1

References

https://github.com/modelcontextprotocol/go-sdk/security/a...

x_refsource_CONFIRM

https://github.com/modelcontextprotocol/go-sdk/commit/7b8...

x_refsource_MISC

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 26, 2026
Vulnerability Reserved
Feb 24, 2026

CVE-2026-27896 Data

JSON