GitLab Advisory — MCP Go SDK case-folding bug (CVE-2026-27896)

AI relevance: The MCP Go SDK powers agent tool servers and clients; JSON-RPC field confusion can let attacker-crafted tool calls bypass method/params checks in AI agent pipelines.

• CVE-2026-27896 affects the modelcontextprotocol/go-sdk JSON-RPC parser.
• Go’s encoding/json performs case-insensitive key matching, so method also matches METHOD or Method.
• Unicode folding means characters like ſ (U+017F) and K (U+212A) can be treated as ASCII equivalents.
• This breaks JSON-RPC 2.0’s requirement for exact field names and can enable method/params confusion.
• The fix updates parsing to enforce strict field name matching in the MCP Go SDK.

Security impact

This class of case-folding bugs is insidious in agent tooling because it breaks the assumptions developers make about “safe” file paths. In an MCP server, a tool might enforce allowlists like /tools/safe/, but case-folding collisions can bypass the check and land writes in unexpected locations. For AI agents, this undermines any control plane that relies on path-prefix matching to keep tools in a sandbox. A prompt-injected agent could be guided to write outside its intended directory without triggering the safety checks the developer thought were in place.

Beyond file writes, case-folding bugs can poison caches, confuse access-control logic, or corrupt model artifacts by writing to alternate-case paths. In large agent deployments that orchestrate multiple tools, the blast radius grows: a single unsafe write can alter a tool config file, swap a prompt template, or replace a policy file — effectively rewiring agent behavior at runtime.

Mitigation strategy

Canonicalize paths using OS-aware routines and compare on the canonical form. Enforce strict allowlists using resolved absolute paths, and deny any write outside a known root. In agent stacks, treat any tool that accepts file paths as high-risk: wrap it with a policy layer that logs, enforces path constraints, and defaults to read-only when possible.

Why it matters

• Agent gateways often validate tool calls by parsing JSON-RPC fields; case-folding opens the door to request smuggling and bypasses.
• MCP is a standard interface for LLM tools, so parsing quirks can propagate across multi-agent and tool-chaining stacks.
• Unicode confusables create a stealthy avenue for policy evasion in AI tool calls.

What to do

• Upgrade: Move to the latest go-sdk release that includes the strict parsing fix.
• Audit MCP proxies: Ensure any custom parsers enforce exact JSON-RPC field names.
• Log anomalies: Alert on requests containing mixed-case or Unicode-confusable JSON keys.

Sources

• GitLab Advisory — CVE-2026-27896
• GitHub Security Advisory — GHSA-wvj2-96wp-fq3f
• Fix commit
• MCP Go SDK repository
• NVD entry