CVE-2026-27896: MCP Go SDK Case-Insensitive Routing Bypasses Authorization Controls
DEV Community·medium signal
CVE-2026-27896 discloses a security control bypass in the MCP Go SDK: case-insensitive tool name routing allows specially crafted names (e.g., "Delete" vs "delete") to bypass exact-match authorization checks. Any MCP server built with the Go SDK that uses exact-match permission enforcement is potentially affected. A patched SDK version is available; server authors must update their Go SDK dependency to remediate.