Fix misnumbered heading

Author: jonathanhefner

docs/specification/draft/basic/authorization.mdx

@@ -299,7 +299,7 @@ See [Security Best Practices 2.1](/specification/draft/basic/security_best_pract
 MCP proxy servers using static client IDs **MUST** obtain user consent for each dynamically
 registered client before forwarding to third-party authorization servers (which may require additional consent).
 
-### 3.5 Access Token Privilege Restriction
+### 3.6 Access Token Privilege Restriction
 
 An attacker can gain unauthorized access or otherwise compromise a MCP server if the server accepts tokens issued for other resources.