New Enterprise-Ready MCP Specification Brings New Security Challenges

Summary

The Model Context Protocol (MCP) is updating to an enterprise-ready, stateless version, shifting security responsibilities from the protocol to developers and operators. While it eliminates some older vulnerabilities, the new MCP introduces risks like state tracking identifier misuse, data leakage via HTTP headers, XSS via MCP Apps, and denial-of-service attacks through long-running tasks.

Full text

MCP is evolving from a single-user server to an enterprise-ready server fit for expanded cloud-native AI usage. Companies have 12 months to get ready. The model concept protocol (MCP) began life as a local, single-user AI integration tool. It was introduced by Anthropic in 2024 and has since become the de facto standard for connecting AI agents to business tools. On July 28, 2026, it will transition to a new version: MCP 2026-07-28, allowing a 12 month deprecation window for legacy versions. The new MCP introduces a platform able to support enterprise-scale, cloud-native deployments. “The headline change is that MCP is now stateless at the protocol layer. Six Specification Enhancement Proposals (SEPs) work together to get there,” announced the Model Context Protocol Blog while publishing the release candidate on May 21, 2026. “The release candidate is locked as of May 21, 2026. The final specification will be published on July 28, 2026. The ten-week window is for SDK maintainers and client implementers to validate the changes against real workloads.” Akamai is one of the firms that has studied the new format ahead of the July 28 launch and describes its own conclusions in a blog report. For cybersecurity, “While the protocol removes several classes of vulnerabilities, it also introduces new areas where security depends heavily on implementation quality,” reports Akamai. Advertisement. Scroll to continue reading. Improvements include an end to session hijacking; the prevention of unsolicited server-initiated prompts; and stronger authentication standards. But at the same time, new attack surfaces are introduced. The headline change is that MCP is now stateless. This, suggests Akamai, “introduces subtle security challenges. In the real world, AI interactions aren’t always a simple ‘one-and-done’ conversation; they often require a back-and-forth chain of events.” Rather than permanent sessions, the new version introduces tracking identifiers and state objects that the server hands to the client. Akamai lists three concerns over any potentially predictable IDs: hijacking an active workflow, accessing data belonging to a different agent, and triggering unauthorized cross-tenant actions. The new specification also introduces MCP-specific HTTP headers (such as MCP-Method and MCP-Name. This brings two new risks: protocol confusion (Desync) attacks, and data leakage via x-mcp-header. In the latter, Akamai warns, “If developers accidentally map sensitive inputs like API keys, tokens, or PII, those secrets are pushed straight into the headers. Once there, they become visible to every load balancer, proxy, and logging system along the path.” Akamai notes two other changes that have potential attack surface concerns. Firstly, while MCP Apps becoming a first-class protocol extension will improve the user experience, it will also introduce traditional web browser risks, such as stored cross-site scripting (XSS). Secondly, “The introduction of long-running tasks creates a massive denial-of-service (DoS) vector that relies on one-way interactions.” Task creation is cheap for the client, but resource hungry for the server. “An attacker can send a single request to spawn an expensive operation (consuming CPU, memory, or database storage) and immediately disconnect.” Importantly, it is not the MCP protocol itself that is becoming more vulnerable; rather, it is the attack surface of MCP servers built on top of the new specification that is expanding. Maxim Zavodchik, senior director of threat research at Akamai, told SecurityWeek how he expects the new enterprise-level MCP to affect security teams. “Since the protocol is transitioning to a stateless model and introducing rich UI apps and asynchronous tasks, critical security boundaries are now entirely dependent on how developers implement them.” Enterprises will now have greater responsibility for the security of their MCP servers. “While the update improves the foundation by eliminating older protocol-level risks, implementation choices will now dictate the overall security posture.” Those choices are susceptible to various implementation flaws Specific areas that are highly prone to such flaws can lead to “workflow hijacking and cross tenant access; privilege escalation and secrets leakage; header/body inconsistencies that bypass security controls; hit and run DoS attacks against long running tasks; and malicious script execution and phishing through insecure UI panels.” Akamai summarizes, “The changes are not simply incremental improvements. They fundamentally reshape where security responsibilities reside.” Security decisions that were previously enforced by the protocol are increasingly delegated to MCP server developers and platform operators. The advantage, even necessity, of having an enterprise rather than single-user MCP cannot be denied; but there is much for the in-house developer and security team to learn, understand, and implement over the next 12 months to make it secure. Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay Related: Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks Related: Anthropic MCP Server Flaws Lead to Code Execution, Data Exposure Related: Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Kevin Townsend Exclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and RiskAgentic AI Security: Wrong Context, Wrong Decisions at Machine SpeedEight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel AttacksCISO Conversations: Carl Froggett – Combining CISO and CIO at Deep InstinctTenet Security Emerges From Stealth With $6 Million Seed FundingHacker Conversations: Isira Adithya, the Evolution of an Ethical HackerAI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to AskCan CISOs Trust Their Applications? TrustCloud Wants to Replace the Questionnaire Latest News Philip Martin Joins Uber as Chief Information Security OfficerRunlayer Raises $30 Million in Series A FundingCal Water Says No OT Systems Breached in Iranian Handala CyberattackLantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningGitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlSecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary EditionNIST Opens Updated IoT Security Guidance to Public Review Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MovePhilip Martin has joined Uber as Chief Information Security Office

Indicators of Compromise

• mitre_attack — T1537
• mitre_attack — T1190
• mitre_attack — T1499

Entities