fix(deps): update module github.com/modelcontextprotocol/go-sdk to v1.4.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/modelcontextprotocol/go-sdk	v1.2.0 → v1.4.1

GitHub Vulnerability Alerts

CVE-2026-27896

The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. Additionally, Go's standard library folds the Unicode characters ſ (U+017F) and K (U+212A) to their ASCII equivalents s and k, meaning fields like "paramſ" would match "params". This violated the JSON-RPC 2.0 specification, which defines exact field names.

Impact:

A malicious MCP peer may have been able to send protocol messages with non-standard field casing (e.g., "Method" instead of "method") that the SDK would silently accept. This had the potential for:

• Bypassing intermediary inspection: Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages.
• Cross-implementation inconsistency: Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.

Fix:

Go's standard JSON unmarshaling was replaced with a case-sensitive decoder (github.com/segmentio/encoding) in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.

Credits:

MCP Go SDK thanks Francesco Lacerenza (Doyensec) for reporting this issue.

GHSA-q382-vc8q-7jhj

The Go SDK recently transitioned to the segmentio/encoding library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with null Unicode characters appended at the end as equivalent to their base strings.

Impact

When combined with duplicate keys, the described behavior leads to a "last key wins" resolution that could override the intended MCP message. This had the potential for:

• Bypassing intermediary inspection: Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages.
• Cross-implementation inconsistency: Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion.

Fix:

The segmentio/encoding package was patched with a fix in segmentio/encoding@7d5a25d and a new version of the package was released (v0.5.4). The SDK switched to the patched version of the dependency in 724dd47aa. Users are advised to update to v1.4.1 to resolve this issue.

Credits:

Thank you to Francesco Lacerenza (Doyensec) for reporting this issue.

CVE-2026-33252

The Go SDK's Streamable HTTP transport accepted browser-generated cross-site POST requests without validating the Origin header and without requiring Content-Type: application/json. In deployments without Authorization, especially stateless or sessionless configurations, this allows an arbitrary website to send MCP requests to a local server and potentially trigger tool execution.

Impact:

A malicious website may have been able to send cross-site POST requests with Content-Type: text/plain, which due to CORS-safelisted properties would reach the MCP message handling without any CORS preflight barrier.

Fix:

The SDK was modified to perform Content-Type header validation for POST requests and introduced a configurable protection for verifying the origin of the request in commit a433a83. Users are advised to update to v1.4.1 to use this additional protection.

Note: v1.4.1 requires Go 1.25 or later.

Credits:

Thank you to Lê Minh Quân for reporting the issue.

CVE-2026-34742

The Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPHandler or SSEHandler, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via StreamableHTTPHandler or SSEHandler now have this protection enabled by default when binding to localhost. Users are advised to update to version 1.4.0 to receive this automatic protection.

---

Release Notes

modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)

v1.4.1

Compare Source

This release is a patch release for v1.4.0.

It contains cherry-picks for several security improvements. Security advisories will follow.

Fixes

Update of the segmentio/encoding module version

The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version.

Cross-origin requests protection

We have added additional protection against cross origin requests. From now on, we verify that Content-Type for JSON-RPC POST requests is set to application/json and use the new http.CrossOriginProtection functionality to verify the origin of the request. Usage of this functionality required increasing the required Go version to 1.25, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured http.CrossOriginProtection object to StreamableHTTPOptions.

Since this is a behavior change, we introduced a compatibility parameter disablecrossoriginprotection that will allow to temporarily disable it. It will be removed in v1.6.0 version of the SDK. See here for more details about behavior changes and a history of compatibility parameters across SDK versions.

Allowing customization of http.Client for client-side OAuth

We have introduced an optional http.Client parameter to AuthorizationCodeHandlerConfig. This allows customization of the transport, for example implementing environment specific protection against Server-Side Request Forgery.

Pull requests

• internal: fix Unicode zero character handling by @​maciej-kisiel in #​841
• auth: allow passing custom http.Client to AuthorizationCodeHandler by @​maciej-kisiel in #​840
• mcp: verify 'Origin' and 'Content-Type' headers by @​maciej-kisiel in #​842

Full Changelog: modelcontextprotocol/go-sdk@v1.4.0...v1.4.1

v1.4.0

Compare Source

This release marks the completion of the full 2025-11-25 specification implementation, by introducing the support for Sampling with Tools and experimental client-side OAuth support. It also contains multiple bug fixes and improvements. Thanks to all contributors!

Client-side OAuth support

This release introduces experimental support for OAuth on the client side of the SDK. It aims to support the full scope of the current MCP specification for authorization. To use it, you need to compile the SDK with the -tags mcp_go_client_oauth flag. Some changes may still be applied to this new API, based on developer feedback. The functionality is planned to become stable in v1.5.0 release, expected by the end of March 2026. More details can be found at https://github.com/modelcontextprotocol/go-sdk/blob/main/docs/protocol.md#client.

• all: client side OAuth support by @​maciej-kisiel in #​785

Sampling with Tools

Starting from this release, the server use the new CreateMessageWithTools method to create a sampling request to the client that contains tools that can be used by the client. On the client side, CreateMessageWithToolsHandler may be used to handle such requests and issue ToolUse responses to the server.

• mcp: implement sampling with tools by @​findleyr in #​699

Behavior changes

We have two important behavior changes that were introduced to fix a bug or improve security posture. They can be temporarily turned off by specifying a special MCPGODEBUG environment variable when running the SDK. Different options can be added together, separated by a comma.

Introduced DNS rebinding protection

The requests arriving via a localhost address (127.0.0.1, [::1]) that have a non-localhost Host header will be rejected to protect against DNS rebinding attacks. The protection can be disabled by specifying StreamableHTTPOptions.DisableLocalhostProtection, but it should be done only if security implications are understood (see documentation for the option).

This protection is a behavior change, as the protection is now enabled by default. Because of that, we have introduced an MCPGODEBUG option to bring back the previous default behavior for users that need more time to adjust. However, if possible, we recommend specifying DisableLocalhostProtection described above, as it is a more future-proof solution. The MCPGODEBUG option to remove this protection (disablelocalhostprotection=1) will be removed in v1.6.0.

• feat: add automatic DNS rebinding protection for localhost servers by @​pcarleton in #​760

Removed JSON content escaping when marshaling

By default encoding/json escapes the contents of the objects, which causes some servers to fail. We switched to no escaping by default, to be consistent with other SDKs. Since this is a behavior change, we introduced an MCPGODEBUG option to bring back the previous behavior for users that need more time to adjust to it. That option (jsonescaping=1) will be removed in v1.6.0.

• mcp: update JSON marshaling to not HTML-escape messages by @​maciej-kisiel in #​769

Bug fixes

Security vulnerability caused by the case insensitive parsing behavior of encoding/json has been submitted (also release as a cherry pick in v1.3.1). Security advisory has been posted.

• all: use case-sensitive JSON unmarshaling by @​maciej-kisiel in #​807

Other fixes:

• mcp: validation only for accept action by @​CocaineCong in #​766
• mcp: allow SSE messages with empty data (SEP-1699) by @​maciej-kisiel in #​779
• jsonrpc2: fix Content-Length header parsing to be case-insensitive by @​nithinputhenveettil in #​789
• mcp: fix multi-select enum elicitation by @​maciej-kisiel in #​795
• mcp: return 400 instead of 500 when body read fails in stateless mode by @​roncodingenthusiast in #​817

Enhancements

Notably, the SDK now supports the extensions field in client and server capabilities, which should enable creation of MCP Apps.

• mcp: add Extensions field to capabilities per SEP-2133 by @​ymmt2005 in #​794

Other enhancements:

• mcp: enforce retry limit when SSE stream makes no progress by @​majiayu000 in #​742
• mcp: export session missing error by @​CocaineCong in #​771
• fix: add JSON tags to ElicitationCapabilities fields by @​awschmeder in #​774
• mcp: improve http transports error handling and make transport work with any size message by @​alexbumbacea in #​734
• examples: bind auth-middleware server to localhost by default by @​TheodorNEngoy in #​784

Repository organization

Some effort was put into better organization of the repository, as well as making sure it's up to date and secure. As a highlight, the repository is not integrated with OSSF Scorecard with a positive score of 8.7. Additionally, the full conformance test suite is now run on every PR and push to main.

• chore: update licensing to Apache 2.0 for new contributions by @​domdomegg in #​750
• chore: update dependencies to newest versions, require Go 1.24 by @​maciej-kisiel in #​765
• conformance: prepare the conformance test suite by @​maciej-kisiel in #​764
• chore: use rand.Text and slog.DiscardHandler over intrernal implementation by @​IAmSurajBobade in #​773
• conformance: mark the new dns-rebinding-protection scenario as failing by @​maciej-kisiel in #​775
• conformance: trigger conformance tests automatically by @​maciej-kisiel in #​776
• mcp: finalize cleanup of Go 1.23, make Go version support explicit by @​maciej-kisiel in #​780
• Use omitzero json tag for byte array field in ResourceContents, instead of omitempty by @​IAmSurajBobade in #​782
• Testing: use synctest for timing-dependent tests by @​La002 in #​756
• chore: add ROADMAP.md by @​maciej-kisiel in #​788
• chore: bump node.js version for conformance test runs. by @​maciej-kisiel in #​796
• Update issue templates by @​maciej-kisiel in #​797
• chore: add an issue template for enhancements by @​maciej-kisiel in #​798
• chore: setup dependabot to update github actions. by @​maciej-kisiel in #​800
• build(deps): bump actions/setup-node from 4.1.0 to 6.2.0 by @​dependabot[bot] in #​801
• build(deps): bump actions/setup-go from 5.5.0 to 6.2.0 by @​dependabot[bot] in #​804
• build(deps): bump actions/checkout from 4.3.0 to 6.0.2 by @​dependabot[bot] in #​803
• Update SECURITY.md to use GitHub Security Advisories by @​localden in #​809
• chore: Configure OSSF Scorecard action by @​maciej-kisiel in #​811
• chore: configure a simple AGENTS.md file and a skill for fixing GitHu… by @​maciej-kisiel in #​810
• chore: update publish-docs permissions to be more targeted. by @​maciej-kisiel in #​812
• chore: increase timeout for conformance server start. by @​maciej-kisiel in #​813
• chore: update the version of the conformance suite. by @​maciej-kisiel in #​814
• chore: Configure advanced CodeQL setup by @​maciej-kisiel in #​819

New Contributors

• @​domdomegg made their first contribution in #​750
• @​majiayu000 made their first contribution in #​742
• @​awschmeder made their first contribution in #​774
• @​alexbumbacea made their first contribution in #​734
• @​TheodorNEngoy made their first contribution in #​784
• @​pcarleton made their first contribution in #​760
• @​nithinputhenveettil made their first contribution in #​789
• @​ymmt2005 made their first contribution in #​794
• @​localden made their first contribution in #​809
• @​roncodingenthusiast made their first contribution in #​817

Full Changelog: modelcontextprotocol/go-sdk@v1.3.0...v1.4.0

v1.3.1

Compare Source

This release is a patch release for v1.3.0.

It contains a cherry-pick for a security issue reported in #​805, which takes advantage of the default behavior of Go's standard library JSON decoder that allows case-insensitive matches to struct field names (or "json" tags). The issue has been addressed by changing the JSON decoder to one that supports case sensitive matching.

Fixes

• all: use case-sensitive JSON unmarshaling by @​maciej-kisiel in #​807

New external dependencies

• https://github.com/segmentio/encoding, which is the package that provides the new decoder.

Full Changelog: modelcontextprotocol/go-sdk@v1.3.0...v1.3.1

v1.3.0

Compare Source

This release is equivalent to v1.3.0-pre.1. Thank you to those who tested the pre-release.

This release includes several enhancements and bugfixes. Worth mentioning is the addition of schema caching, which significantly improves the performance in some stateless server deployment scenarios.

Dependency updates

• go.mod: upgrade to jsonschema v0.4.2 by @​jba in #​732

Enhancements

• perf: add schema caching to avoid repeated reflection by @​SamMorrowDrums in #​685
• mcp: add DisableListening option to StreamableClientTransport by @​zxxf18 in #​729
• feat: deprecated logger in client & add Logger in ClientOption by @​CocaineCong in #​738
• feat: deleted the old logger in client by @​CocaineCong in #​744
• Export GetError and SetError methods by @​jba in #​753

Bugfixes

• fix: connectStandaloneSSE checking Content-Type header by @​liushuangls in #​736
• mcp: fix SSEClientTransport to report HTTP errors properly by @​hassan123789 in #​740
• mcp: add Allow header to 405 responses per RFC 9110 §15.5.6 by @​SamMorrowDrums in #​757
• mcp: fix a race condition in logging by @​maciej-kisiel in #​761

Chores

• docs: adds SDK version support matrix by @​La002 in #​737
• .github/workflows: add nightly conformance tests by @​findleyr in #​752

New Contributors

• @​La002 made their first contribution in #​737
• @​hassan123789 made their first contribution in #​740
• @​liushuangls made their first contribution in #​736
• @​CocaineCong made their first contribution in #​738
• @​zxxf18 made their first contribution in #​729
• @​SamMorrowDrums made their first contribution in #​685
• @​maciej-kisiel made their first contribution in #​761

Full Changelog: modelcontextprotocol/go-sdk@v1.2.0...v1.3.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/google/jsonschema-go	v0.3.0 -> v0.4.2
golang.org/x/sys	v0.38.0 -> v0.40.0

[cla-assistant]

All committers have signed the CLA.

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}