modelcontextprotocol · he-yufeng · May 19, 2026 · Jun 2, 2026 · Jun 3, 2026
diff --git a/mcp/streamable.go b/mcp/streamable.go
@@ -1345,7 +1345,8 @@
 		return
 	}
 
-	protocolVersion := protocolVersionFromContext(req.Context())
+	headerProtocolVersion := protocolVersionFromContext(req.Context())
+	protocolVersion := headerProtocolVersion
 	if protocolVersion == "" {
 		protocolVersion = protocolVersion20250326
 	}
@@ -1365,6 +1366,7 @@
 	calls := make(map[jsonrpc.ID]struct{})
 	tokenInfo := auth.TokenInfoFromContext(req.Context())
 	isInitialize := false
+	var initializeID jsonrpc.ID
 	var initializeProtocolVersion string
 	for _, msg := range incoming {
 		if jreq, ok := msg.(*jsonrpc.Request); ok {
@@ -1384,6 +1386,7 @@
 			}
 			if jreq.Method == methodInitialize {
 				isInitialize = true
+				initializeID = jreq.ID
 				// Extract the protocol version from InitializeParams.
 				var params InitializeParams
 				if err := internaljson.Unmarshal(jreq.Params, &params); err == nil {
@@ -1401,6 +1404,9 @@
 			if meta := extractRequestMeta(jreq.Params); meta != nil {
 				metaVersion, _ = meta[MetaKeyProtocolVersion].(string)
 			}
+			if jreq.Method == methodInitialize && metaVersion == "" && headerVersion >= protocolVersion20260630 {
+				metaVersion = initializeProtocolVersion
+			}
 			if protocolVersion >= protocolVersion20260630 || metaVersion != "" {
 				// Extract again the protcol version from the context to see what the client
 				// is advertising in the Mcp-Protocol-Version HTTP header.
@@ -1476,6 +1482,22 @@
 		}
 	}
 
+	if headerProtocolVersion != "" && initializeProtocolVersion != "" && headerProtocolVersion != initializeProtocolVersion {
+		resp := &jsonrpc.Response{
+			ID: initializeID,
+			Error: jsonrpc2.NewError(
+				CodeHeaderMismatch,
+				fmt.Sprintf("header mismatch: %s header value %q does not match body protocolVersion %q", protocolVersionHeader, headerProtocolVersion, initializeProtocolVersion),
+			),
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		if data, err := jsonrpc2.EncodeMessage(resp); err == nil {
+			w.Write(data)
+		}
+		return
+	}
+
 	// Validate MCP standard headers (Mcp-Method, Mcp-Name, Mcp-Param-*)
 	if !isBatch && len(incoming) == 1 {
 		if err := validateMcpHeaders(req.Header, incoming[0], c.toolLookup); err != nil {

diff --git a/mcp/streamable_test.go b/mcp/streamable_test.go
@@ -972,6 +972,19 @@ func TestStreamableServerTransport(t *testing.T) {
 			},
 			wantSessions: 1,
 		},
+		{
+			name: "initialize protocol version header mismatch",
+			requests: []streamableRequest{
+				{
+					method:             "POST",
+					headers:            http.Header{protocolVersionHeader: {protocolVersion20251125}},
+					messages:           []jsonrpc.Message{req(1, methodInitialize, &InitializeParams{ProtocolVersion: protocolVersion20250618})},
+					wantStatusCode:     http.StatusBadRequest,
+					wantBodyContaining: "header mismatch",
+				},
+			},
+			wantSessions: 0,
+		},
 		{
 			name: "batch rejected on 2025-06-18",
 			requests: []streamableRequest{