CVE-2026-27896

Name of the Vulnerable Software and Affected Versions Go MCP SDK versions prior to 1.3.1

Description The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags, meaning a field tagged json:"method" would also match "Method", "METHOD", etc. It also folds Unicode characters to their ASCII equivalents, such as 'ſ' (U+017F) to 's' and 'K' (U+212A) to 'k'. This behavior violates the JSON-RPC 2.0 specification, which requires exact field names. A malicious MCP peer could send protocol messages with non-standard field casing that the SDK would silently accept, potentially bypassing intermediary inspection and causing cross-implementation inconsistencies. This issue affects the parsing of JSON-RPC and MCP protocol messages.

Recommendations Update the Go MCP SDK to version 1.3.1 to resolve this issue.