Modelcontextprotocol Go-sdk
3 CVEs affecting Modelcontextprotocol Go-sdk. Latest disclosed: 2026-04-02. Critical: 0, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33252 | High | 7.1 | 2026-03-23 | The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` re… |
CVE-2026-34742 | | 2026-04-02 | The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by de… | |
CVE-2026-27896 | | 2026-02-26 | The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library perfo… |