3 matches found
CVE-2026-27896
The CVE-2026-27896 concerns the Go MCP SDK, affected in versions prior to 1.3.1, where Go’s json.Unmarshal (case-insensitive field matching) could accept non-standard JSON-RPC/MCP field casing. This violates JSON-RPC 2.0’s exact field names and could allow messages to bypass intermediary inspecti...
CVE-2026-34742
The CVE-2026-34742 entry concerns the Model Context Protocol (MCP) Go SDK. Prior to version 1.4.0, an HTTP-based MCP server running on localhost without authentication did not enable DNS rebinding protection by default, allowing a malicious website to bypass same-origin policy and send requests t...
CVE-2026-33252
CVE-2026-33252 – Go MCP SDK CSRF risk : The Go MCP SDK’s Streamable HTTP transport uses Go’s encoding/json and, before patch 1.4.1, accepts browser-generated cross-site POST requests without validating the Origin header or enforcing Content-Type: application/json. In unauthenticated, stateless, o...