Mcp Go Sdk
Approved changes feed: RSS · Atom
cpe:2.3:a:lfprojects:mcp_go_sdk:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Lfprojects (4544abc5-133d-544b-9bd5-895c4c487a16) |
|---|---|
| Product | Mcp Go Sdk (92b77257-e105-5784-8358-231e3b8517cb) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-34742 |
vulnerable | 2026-06-03 15:22:10.767113 |
Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances. This issue has been patched in version 1.4.0.
Published: 2026-04-02T18:32:34.781Z
Updated: 2026-04-03T15:59:37.091Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-33252 |
vulnerable | 2026-06-03 15:20:44.568774 |
MCP Go SDK Allows Cross-Site Tool Execution for HTTP Servers without Authorizatrion
HIGH (7.1)
The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.1, the Go SDK's Streamable HTTP transport accepted browser-generated cross-site `POST` requests without validating the `Origin` header and without requiring `Content-Type: application/json`. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution. Version 1.4.1 contains a patch for the issue.
Published: 2026-03-23T23:44:16.106Z
Updated: 2026-03-24T18:39:50.841Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-27896 |
vulnerable | 2026-06-03 15:18:07.471096 |
MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.
Published: 2026-02-26T00:47:46.967Z
Updated: 2026-02-26T17:06:41.150Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.