New Enterprise-Ready MCP Specification Introduces Security Risks for Developers
The Model Concept Protocol (MCP) is undergoing a significant transformation, evolving from a single-user server to an enterprise-ready platform designed for expansive cloud-native AI applications. Companies have until July 28, 2026, to prepare for this transition, which will mark a pivotal shift in how AI agents integrate with business tools.
Transitioning to MCP 2026-07-28
Originally introduced by Anthropic in 2024, the MCP began as a local, single-user AI integration tool. It has since established itself as the standard for connecting AI agents to various business applications. The upcoming version, MCP 2026-07-28, will initiate a 12-month deprecation window for legacy versions, introducing a platform capable of supporting enterprise-scale, cloud-native deployments.
The Model Context Protocol Blog announced that a key change in this new version is the stateless nature of the protocol layer. This transition is supported by six Specification Enhancement Proposals (SEPs), which were detailed in the release candidate published on May 21, 2026. The final specification will be available on the designated launch date.
Security Implications of Stateless Design
Akamai, a cybersecurity firm, has conducted a thorough analysis of the new MCP format ahead of its launch. The firm notes that while the updated protocol addresses several existing vulnerabilities, it simultaneously introduces new security challenges that heavily rely on the quality of implementation.
Key improvements include the elimination of session hijacking, prevention of unsolicited server-initiated prompts, and enhanced authentication standards. However, the stateless design introduces complexities. Akamai highlights that real-world AI interactions often require ongoing dialogues rather than simple exchanges. This necessitates the use of tracking identifiers and state objects that the server provides to the client, raising concerns over predictable IDs that could lead to workflow hijacking, unauthorized data access, and cross-tenant actions.
New Risks with HTTP Headers
The new specification also introduces MCP-specific HTTP headers, such as MCP-Method and MCP-Name. This change brings with it new risks, including protocol confusion (Desync) attacks and potential data leakage through x-mcp-header. Akamai warns that if developers inadvertently include sensitive information like API keys or personally identifiable information (PII) in these headers, such data could become visible to various intermediaries, including load balancers and logging systems.
Akamai further identifies two additional changes that could expand the attack surface. The elevation of MCP Apps to a first-class protocol extension enhances user experience but also introduces traditional web browser vulnerabilities, such as stored cross-site scripting (XSS). Additionally, the introduction of long-running tasks creates a significant denial-of-service (DoS) vector. An attacker can exploit this by initiating resource-intensive operations and then disconnecting, leaving the server to manage the resource drain.
Expanding Attack Surface
It is crucial to note that the vulnerabilities are not inherent to the MCP protocol itself but rather stem from the expanded attack surface of MCP servers built on this new specification. Maxim Zavodchik, Senior Director of Threat Research at Akamai, emphasizes that the transition to a stateless model and the introduction of rich user interface applications and asynchronous tasks shift critical security boundaries to developers.
Enterprises will bear greater responsibility for securing their MCP servers. While the update enhances foundational security by removing older protocol-level risks, the choices made during implementation will significantly influence the overall security posture.
Implementation Flaws and Security Responsibilities
Specific areas prone to implementation flaws may lead to various security issues, including workflow hijacking, cross-tenant access, privilege escalation, secrets leakage, and inconsistencies that bypass security controls. The potential for hit-and-run DoS attacks against long-running tasks and the risk of malicious script execution through insecure UI panels further complicate the security landscape.
Akamai summarizes the situation by stating that these changes are not merely incremental improvements; they fundamentally reshape where security responsibilities lie. Decisions that were once enforced by the protocol are increasingly delegated to MCP server developers and platform operators.
The necessity of transitioning to an enterprise-level MCP is clear, yet it presents a steep learning curve for in-house developers and security teams. Over the next 12 months, organizations must adapt to these changes to ensure the security of their systems.
For further insights into the evolving landscape of cybersecurity, refer to the original reporting source: SecurityWeek.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
