The official MCP Go SDK uses Go's standard encoding/json library, which accepts JSON field names case-insensitively. A field tagged json:"method" will silently accept "Method", "METHOD", and any other casing variant — no error, no warning.
The technical problem: WAFs and policy enforcement mechanisms that inspect MCP messages using exact field name matching ("method": "tools/call") can be bypassed by sending those fields with different casing ("Method": "tools/call"). The SDK processes the message correctly. The security layer doesn't see it.
Every MCP server or client built on the official Go SDK is affected. This includes enterprise infrastructure that relies on inspection intermediaries to enforce tool policies — that layer becomes effectively zero without the patch.
Immediate recommendation: Update to the patched MCP Go SDK release. If the fixed version isn't available yet, add explicit case-sensitive field matching validation to any middleware that inspects MCP messages.