CVE-2026-27896: MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity

February 26, 2026

The Go MCP SDK used Go’s standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go’s standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:“method” would also match “Method”, “METHOD”, etc. Additionally, Go’s standard library folds the Unicode characters ſ (U+017F) and K (U+212A) to their ASCII equivalents s and k, meaning fields like “paramſ” would match “params”. This violated the JSON-RPC 2.0 specification, which defines exact field names.

References

github.com/advisories/GHSA-wvj2-96wp-fq3f
github.com/modelcontextprotocol/go-sdk
github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0
github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f
nvd.nist.gov/vuln/detail/CVE-2026-27896

Code Behaviors & Features

Detect and mitigate CVE-2026-27896 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →