RCE in Modelcontextprotocol Go-sdk

CVE-2026-34742

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost…

EPSS: 0.000 (7.5th percentile) — read the EPSS interpretation.

Affected products

Modelcontextprotocol Go-sdk — versions < 1.4.0

Weakness classification (CWE)

CWE-1188 — Initialization of a Resource with an Insecure Default

References

https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-xw59-hvm2-8pj6 (x_refsource_CONFIRM)
https://github.com/modelcontextprotocol/go-sdk/pull/760 (x_refsource_MISC)
https://github.com/modelcontextprotocol/go-sdk/commit/67bd3f2e2b53ce11a16db8d976cdb8ff1e986b6d (x_refsource_MISC)
https://github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.0 (x_refsource_MISC)