Enterprise-Grade MCP Specification Introduces Critical Security Challenges

New Enterprise-Ready MCP Specification Introduces Complex Security Considerations

Evolution of the Model Context Protocol

The Model Context Protocol (MCP) is undergoing a significant transformation, shifting from a single-user server architecture to an enterprise-focused framework designed for cloud-native AI environments. Organizations have a 12-month window to adapt to the upcoming changes, which will take effect on July 28, 2026. Initially developed by Anthropic in 2024 as a localized tool for integrating AI agents with business systems, MCP has since become the standard for AI communication protocols.

Key Changes in MCP 2026-07-28

The latest iteration, MCP 2026-07-28, represents a major overhaul, enabling scalable cloud-native deployments. A critical update to the protocol is its transition to a stateless design at the protocol layer. This shift, outlined in a blog post by the Model Context Protocol team, involves six Specification Enhancement Proposals (SEPs) that collectively redefine how sessions are managed. The release candidate, finalized on May 21, 2026, will be followed by the final specification on July 28. During the intervening 10 weeks, developers are tasked with validating the updates against real-world workloads.

Akamai’s Analysis of the New MCP Framework

Akamai’s analysis of the new MCP framework highlights both improvements and emerging risks. While the protocol eliminates certain vulnerabilities, such as session hijacking, it introduces new security challenges tied to implementation quality. The stateless nature of the protocol replaces persistent sessions with tracking identifiers and state objects, which are managed by the server and passed to clients. This change raises concerns about predictable identifiers being exploited for workflow hijacking, unauthorized cross-tenant actions, and data access violations.

Security Risks and Implementation Challenges

The introduction of MCP-specific HTTP headers, including MCP-Method and MCP-Name, adds two distinct risks. First, protocol confusion (Desync) attacks could occur if systems misinterpret header values. Second, data leakage is possible if sensitive inputs like API keys, tokens, or personally identifiable information (PII) are inadvertently exposed in headers. These headers are visible to intermediaries such as load balancers and logging systems, increasing the attack surface.

Additional risks stem from two new features: MCP Apps as a first-class protocol extension and long-running tasks. While MCP Apps enhance user experience, they also bring traditional web vulnerabilities like stored cross-site scripting (XSS). Long-running tasks, which are resource-intensive for servers, create a potential denial-of-service (DoS) vector. Attackers could initiate expensive operations that consume significant computational resources before disconnecting, leaving the server vulnerable to exhaustion.

Expert Insights on Implementation Risks

Maxim Zavodchik, senior director of threat research at Akamai, emphasized that the protocol itself is not inherently less secure but that the expanded attack surface now depends heavily on how developers implement the new specification. Security boundaries previously enforced by the protocol are now delegated to server operators, increasing the risk of implementation flaws. Potential issues include workflow hijacking, privilege escalation, header/body inconsistencies, and malicious script execution through insecure UI components.

Implications for Enterprise Security

The transition to an enterprise-ready MCP necessitates heightened vigilance from security teams. While the update addresses older protocol-level risks, the responsibility for securing server implementations has shifted to organizations. Enterprises must prioritize understanding and mitigating these new challenges within the 12-month timeline to ensure robust security postures.

About Author

Anuj

See author's posts