{
  "repository": "https://github.com/modelcontextprotocol/go-sdk",
  "commit_source": "git_rev_parse",
  "commit_sha": "c9317fb5b75328ca2faeaf8ea0e23a53c37de49f",
  "tested_at": "2026-04-04T13:00:00Z",
  "notes": "This is the v1.4.0 tag commit which contains the partial fix for CVE-2026-34742. The fix was applied to StreamableHTTPHandler but SSEHandler was left unprotected.",
  "submitted_target": {
    "target_kind": "git_tag",
    "version": "v1.3.0",
    "ref": "v1.3.0",
    "display": "v1.3.0 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "c9317fb5b75328ca2faeaf8ea0e23a53c37de49f",
    "version": "v1.4.0",
    "ref": "v1.4.0",
    "display": "v1.4.0 (partially patched - SSEHandler bypass confirmed)"
  }
}