CVE-2026-27896: Case-Insensitive Chaos: Bypassing Security Controls in MCP Go SDK

Published: 2 months ago (February 27, 2026 at 12:10 AM EST)

1 min read

Source: Dev.to

Source: Dev.to

Vulnerability Overview

Vulnerability ID: CVE-2026-27896
CVSS Score: 7.0 (High)
Published: 2026-02-26
CWE: CWE-436 (Interpretation Conflict)
Secondary CWE: CWE-178 (Improper Handling of Case Sensitivity)
CVSS v4.0 Vector: Network (AV:N)
EPSS Score: 0.00048 (Low Probability)

A high‑severity interpretation conflict in the Model Context Protocol (MCP) Go SDK allows attackers to bypass security intermediaries. The SDK relies on Go’s standard encoding/json package, which parses JSON keys case‑insensitively. Security tools that enforce the case‑sensitive JSON‑RPC 2.0 specification may only block the lowercase "method" key, allowing an attacker to use "Method" (or other capitalizations) to smuggle malicious payloads past Web Application Firewalls (WAFs).

Affected Versions

Model Context Protocol (MCP) Go SDK:
Full CVE Report: Read the full report for CVE-2026-27896 (includes interactive diagrams and full exploit analysis)

CVE-2026-27896: Case-Insensitive Chaos: Bypassing Security Controls in MCP Go SDK

Vulnerability Overview

Affected Versions

Related posts

ClawJacked attack let malicious websites hijack OpenClaw to steal data

MCP Has a Supply Chain Problem

CVE-2026-27449: Unauthenticated Data Exposure via Broken Access Control in Umbraco Engage

CVE-2026-27465: Fleet's Open Secret: The Google Calendar Key Leak