Vulnerability Report: GO-2026-5771
- CVE-2026-34742, GHSA-xw59-hvm2-8pj6
- Affects: github.com/modelcontextprotocol/go-sdk
- Published: Jun 25, 2026
DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost in github.com/modelcontextprotocol/go-sdk
For detailed information about this vulnerability, visit https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-xw59-hvm2-8pj6 or https://nvd.nist.gov/vuln/detail/CVE-2026-34742.
Affected Packages
-
PathVersionsSymbols
Aliases
References
- https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-xw59-hvm2-8pj6
- https://nvd.nist.gov/vuln/detail/CVE-2026-34742
- https://github.com/modelcontextprotocol/go-sdk/commit/67bd3f2e2b53ce11a16db8d976cdb8ff1e986b6d
- https://github.com/modelcontextprotocol/go-sdk/pull/760
- https://github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.0
- https://vuln.go.dev/ID/GO-2026-5771.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.