Streamable HTTP server does not validate body/header protocol-version consistency on initialize

[cclabadmin]

Bug description

When the initial initialize request carries an MCP-Protocol-Version HTTP header that disagrees with initialize.params.protocolVersion in the JSON-RPC body, the server accepts the request without error. The negotiated protocol version follows the JSON-RPC body rather than the MCP-Protocol-Version request header.

The current MCP 2025-11-25 specification does not explicitly require the server to check body/header consistency on initialize, so this is filed as an implementation observation rather than a strict spec-violation claim.

Environment

• Reproduced with stable release v1.1.2 (e9e1a2f3)
• Also reproduced with a main snapshot from 2026-05-15 (c09ee67f)
• Transport: Streamable HTTP server (stateful profile)
• Java runtime used for repro: OpenJDK 21.0.10
• SDK build target: Java 17 (java.version, maven.compiler.source, and maven.compiler.target are set to 17 in the SDK pom.xml)

Steps to reproduce

1. Start a Java SDK Streamable HTTP server.
2. Send an initialize request where the body protocolVersion is 2025-11-25 but the MCP-Protocol-Version header is 2025-03-26 (or vice versa).
3. Observe that the server returns HTTP 200 with a normal initialize result.
4. Check the negotiated protocol version in the response.

Expected behavior

Option A: the server rejects the mismatch before negotiation, for example with HTTP 400 or a JSON-RPC Invalid Request error.

Option B: the spec clarifies which field is authoritative, and the SDK documents that behavior and covers it with a regression test.

Minimal Complete Reproducible example

The mismatch was accepted in both directions:

body=2025-11-25 header=2025-03-26 -> HTTP 200, negotiated version follows body (2025-11-25)
body=2025-03-26 header=2025-11-25 -> HTTP 200, negotiated version follows body (2025-03-26)

After initialization, subsequent responses used the body-negotiated version in the MCP-Protocol-Version header rather than the original mismatched request header value.

With a Streamable HTTP server running, set ENDPOINT to the server endpoint and send an initial initialize request whose HTTP header and JSON-RPC body disagree:

ENDPOINT=http://127.0.0.1:8080/mcp

curl -i -sS --http1.1 -X POST "$ENDPOINT" \
  -H 'Content-Type: application/json' \
  -H 'Accept: application/json, text/event-stream' \
  -H 'MCP-Protocol-Version: 2025-03-26' \
  --data '{"jsonrpc":"2.0","id":"init-conflict-1","method":"initialize","params":{"protocolVersion":"2025-11-25","capabilities":{},"clientInfo":{"name":"version-conflict-repro","version":"0.1.0"}}}'

Then repeat the same request with the values reversed: body 2025-03-26, header 2025-11-25.

Additional context

• Related: Streamable HTTP GET after initialize sends latest MCP-Protocol-Version instead of negotiated version #883 reports a client-side Streamable HTTP version-header issue after initialize, where the client sends the latest supported MCP-Protocol-Version on GET instead of the negotiated version. This report is about the server side accepting inconsistent header/body inputs on initialize.
• Related: SEP-2575 introduces a related future-state requirement that, for HTTP requests, the MCP-Protocol-Version header match _meta["io.modelcontextprotocol/protocolVersion"].