CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity in github.com/modelcontextprotocol/go-sdk

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. Additionally, Go's standard library folds the Unicode characters ſ (U+017F) and K (U+212A) to their ASCII equivalents s and k, meaning fields like "paramſ" would match "params". This violated the JSON-RPC 2.0 specification, which defines exact field names. #### Impact: A malicious MCP peer may have been able to send protocol messages with non-standard field casing (e.g., "Method" instead of "method") that the SDK would silently accept. This had the potential for: - **Bypassing intermediary inspection:** Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages. - **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion. #### Fix: Go's standard JSON unmarshaling was replaced with a case-sensitive decoder (github.com/segmentio/encoding) in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue. #### Credits: MCP Go SDK thanks Francesco Lacerenza (Doyensec) for reporting this issue.

El SDK de Go MCP utilizaba la función estándar `encoding/json.Unmarshal` de Go para el análisis de mensajes del protocolo JSON-RPC y MCP en versiones anteriores a la 1.3.1. La biblioteca estándar de Go realiza una coincidencia que no distingue entre mayúsculas y minúsculas de las claves JSON con las etiquetas de campo de las estructuras — un campo etiquetado como json:'method' también coincidiría con 'Method', 'METHOD', etc. Esto violaba la especificación JSON-RPC 2.0, que define nombres de campo exactos. Un par MCP malicioso podría haber sido capaz de enviar mensajes de protocolo con un uso de mayúsculas y minúsculas no estándar en los campos que el SDK aceptaría silenciosamente. Esto tenía el potencial de eludir la inspección intermedia y la inconsistencia entre implementaciones. El desenmascaramiento JSON estándar de Go fue reemplazado por un decodificador que distingue entre mayúsculas y minúsculas en el commit 7b8d81c. Se aconseja a los usuarios actualizar a la versión 1.3.1 para resolver este problema.