Vulnerability in Modelcontextprotocol Go-sdk

CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged…

EPSS: 0.000 (14.4th percentile) — read the EPSS interpretation.

Affected products

Modelcontextprotocol Go-sdk — versions < 1.3.1

Weakness classification (CWE)

References

https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f (x_refsource_CONFIRM)
https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0 (x_refsource_MISC)