Improper Handling of Case Sensitivity Affecting dogstatsd-fips-7 package, versions <7.76.1-r2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-MINIMOSLATEST-DOGSTATSDFIPS7-15363964
- published28 Feb 2026
- disclosed26 Feb 2026
Introduced: 26 Feb 2026
NewCVE-2026-27896 (opens in a new tab)How to fix?
Upgrade Minimos:latest dogstatsd-fips-7 to version 7.76.1-r2 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream dogstatsd-fips-7 package and not the dogstatsd-fips-7 package as distributed by Minimos.
See How to fix? for Minimos:latest relevant fixed versions and status.
The Go MCP SDK used Go's standard encoding/json.Unmarshal for JSON-RPC and MCP protocol message parsing in versions prior to 1.3.1. Go's standard library performs case-insensitive matching of JSON keys to struct field tags — a field tagged json:"method" would also match "Method", "METHOD", etc. This violated the JSON-RPC 2.0 specification, which defines exact field names. A malicious MCP peer may have been able to send protocol messages with non-standard field casing that the SDK would silently accept. This had the potential for bypassing intermediary inspection and coss-implementation inconsistency. Go's standard JSON unmarshaling was replaced with a case-sensitive decoder in commit 7b8d81c. Users are advised to update to v1.3.1 to resolve this issue.
References
- https://www.cve.org/CVERecord?id=CVE-2026-27896
- https://github.com/advisories/GHSA-wvj2-96wp-fq3f
- https://osv.dev/vulnerability/MINI-ccx8-75xj-wcv6
- https://osv.dev/vulnerability/CVE-2026-27896
- https://github.com/modelcontextprotocol/go-sdk/commit/7b8d81c264074404abdf5aa16e2cf0c2d9c64cc0
- https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-wvj2-96wp-fq3f