The New MCP Specification: What Security Teams Must Prepare For

This Akamai blog post by Maxim Zavodchik, Segev Fogel, and Gal Meiri analyzes the upcoming July 28, 2026, update to the Model Context Protocol (MCP), which transitions it to an enterprise-grade, stateless architecture. While the update eliminates major protocol-level risks like session hijacking and weak authentication, it shifts critical security responsibilities to developers, introducing new attack surfaces including cross-agent workflow hijacking via untrusted client state objects, client-controlled metadata manipulation, header confusion attacks, stored XSS in new MCP interactive apps, and denial-of-service risks from long-running background tasks. The authors conclude that security teams must now treat all client-provided state and metadata as untrusted, enforce cryptographic verification, output encoding, and resource quotas, as the protocol's security posture now depends entirely on implementation quality rather than protocol-level guarantees. 

https://www.akamai.com/blog/security-research/new-mcp-specification-security-teams-must-prepare

Comments

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

SecObserve: Simplified Vulnerability and License Management for CI/CD Pipelines

OWASP ZAP 2.16.0 Introduces Key Updates and Enhancements