CVE-2026-27896: Case-Insensitive Chaos: Bypassing Security Controls in MCP Go SDK

Case-Insensitive Chaos: Bypassing Security Controls in MCP Go SDK Vulnerability ID: CVE-2026-27896 CVSS Score: 7.0 Published: 2026-02-26 A high-severity interpretation conflict in the Model Context Protocol (MCP) Go SDK allows attackers to bypass security intermediaries. By exploiting Go's standard library JSON parsing behavior, which is case-insensitive by default, attackers can smuggle malicious payloads past WAFs that strictly adhere to the case-sensitive JSON-RPC 2.0 specification. TL;DR The MCP Go SDK used Go's standard encoding/json, which happily accepts Method instead of method. Security tools (WAFs) often expect strict JSON-RPC compliance and only block method. This mismatch allows attackers to bypass filters by simply capitalizing JSON keys. ⚠️ Exploit Status: POC Technical Details CWE ID: CWE-436 (Interpretation Conflict) Secondary CWE: CWE-178 (Improper Handling of Case Sensitivity) CVSS v4.0: 7.0 (High) Attack Ve