{"id":"CVE-2026-27896","summary":"MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity","details":"The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:\"method\" would also match \"Method\", \"METHOD\", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.","aliases":["GHSA-wvj2-96wp-fq3f","GO-2026-4569"],"modified":"2026-04-10T05:38:41.563081Z","published":"2026-02-26T00:47:46.967Z","related":["CGA-vfrx-695v-7wq5","SUSE-SU-2026:1042-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-178","CWE-436"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27896.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27896.json"},{"type":"ADVISORY","url":"https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27896"},{"type":"FIX","url":"https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/modelcontextprotocol/go-sdk","events":[{"introduced":"0"},{"fixed":"6e8ca568e4f259fa33445e8a637057751cb26787"}]}],"versions":["v0.1.0","v0.2.0","v0.3.0","v0.3.1","v0.4.0","v0.5.0","v0.6.0","v0.7.0","v0.8.0","v1.0.0","v1.1.0","v1.1.0-pre.1","v1.1.0-pre.2","v1.2.0","v1.2.0-pre.1","v1.2.0-pre.2","v1.3.0","v1.3.0-pre.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27896.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"}]}