CVE-2026-27896
Description
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/modelcontextprotocol/go-sdkGo | < 1.3.1 | 1.3.1 |
Affected products
41- osv-coords40 versionspkg:apk/chainguard/datadog-cluster-agent-7.76pkg:apk/chainguard/datadog-cluster-agent-fips-7.76pkg:apk/chainguard/ferretdbpkg:apk/chainguard/flux-operator-mcppkg:apk/chainguard/flux-operator-mcp-fipspkg:apk/chainguard/github-mcp-serverpkg:apk/chainguard/gitlab-workhorse-ce-18.7pkg:apk/chainguard/gitlab-workhorse-ce-18.8pkg:apk/chainguard/gitlab-workhorse-ce-18.9pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.7pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.8pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.9pkg:apk/chainguard/gptscriptpkg:apk/chainguard/jaeger-2-all-in-onepkg:apk/chainguard/jaeger-2-collectorpkg:apk/chainguard/jaeger-2-fips-all-in-onepkg:apk/chainguard/jaeger-2-fips-collectorpkg:apk/chainguard/jaeger-2-fips-ingesterpkg:apk/chainguard/jaeger-2-fips-jaegerpkg:apk/chainguard/jaeger-2-fips-querypkg:apk/chainguard/jaeger-2-ingesterpkg:apk/chainguard/jaeger-2-jaegerpkg:apk/chainguard/jaeger-2-querypkg:apk/chainguard/opencostpkg:apk/chainguard/opencost-fipspkg:apk/chainguard/osv-scannerpkg:apk/wolfi/datadog-cluster-agent-7.76pkg:apk/wolfi/ferretdbpkg:apk/wolfi/flux-operator-mcppkg:apk/wolfi/github-mcp-serverpkg:apk/wolfi/gptscriptpkg:apk/wolfi/jaeger-2-all-in-onepkg:apk/wolfi/jaeger-2-collectorpkg:apk/wolfi/jaeger-2-ingesterpkg:apk/wolfi/jaeger-2-jaegerpkg:apk/wolfi/jaeger-2-querypkg:apk/wolfi/opencostpkg:apk/wolfi/osv-scannerpkg:golang/github.com/modelcontextprotocol/go-sdkpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 7.76.1-r1+ 39 more
- (no CPE)range: < 7.76.1-r1
- (no CPE)range: < 7.76.1-r2
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 0.43.0-r1
- (no CPE)range: < 0.41.1-r1
- (no CPE)range: < 0.31.0-r1
- (no CPE)range: < 18.7.5-r1
- (no CPE)range: < 18.8.5-r1
- (no CPE)range: < 18.9.1-r1
- (no CPE)range: < 18.7.5-r1
- (no CPE)range: < 18.8.5-r1
- (no CPE)range: < 18.9.1-r1
- (no CPE)range: < 0.9.8-r35
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 1.119.2-r1
- (no CPE)range: < 1.119.2-r1
- (no CPE)range: < 2.3.3-r2
- (no CPE)range: < 7.76.1-r1
- (no CPE)range: < 2.7.0-r7
- (no CPE)range: < 0.43.0-r1
- (no CPE)range: < 0.31.0-r1
- (no CPE)range: < 0.9.8-r35
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 2.15.1-r1
- (no CPE)range: < 1.119.2-r1
- (no CPE)range: < 2.3.3-r2
- (no CPE)range: < 1.3.1
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
4- github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0nvdPatchWEB
- github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3fnvdPatchVendor AdvisoryWEB
- github.com/advisories/GHSA-wvj2-96wp-fq3fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27896ghsaADVISORY
News mentions
0No linked articles in our index yet.