MCP 2026-07-28 Specification — Akamai Maps New Attack Surfaces After Security Overhaul
AI relevance: The MCP protocol underpins most production AI agent integrations with enterprise tools — the new specification's shift from protocol-enforced security to developer-implemented controls directly affects every team deploying MCP servers for agent tooling.
- The MCP 2026-07-28 specification, due July 28, is the largest architectural change to the Model Context Protocol since Anthropic created it in 2024. It transitions MCP from a local, single-user tool into a stateless, enterprise-grade, cloud-native platform.
- The rebuild closes several old attack classes: stateful session hijacking via the Mcp-Session-Id header is eliminated, server-initiated prompts are strictly limited, and OAuth 2.1 with PKCE becomes mandatory.
- Akamai Technologies published the first independent security analysis of the new spec, concluding that while protocol-level risks are reduced, security decisions now fall to developers and platform operators building on it.
- New attack surface #1 — Stateless workflow hijacking: the protocol no longer keeps permanent sessions, instead issuing tracking IDs and state objects to the client. Predictable IDs or unvalidated state integrity enables workflow hijacking, cross-tenant data access, and unauthorized actions.
- New attack surface #2 — Unsigned metadata injection: a new
_metaobject lets clients attach custom key-value pairs to any MCP message without cryptographic signatures. An attacker can inject a forged "tenant: admin" pair to escalate privileges. - New attack surface #3 — Header/body desync: MCP defines its own HTTP headers (Mcp-Method, Mcp-Name) for proxy routing. Sending one value in the header and another in the JSON-RPC body lets a request bypass controls that trust only one side.
- New attack surface #4 — Secret leakage via x-mcp-header: this directive maps tool arguments straight into HTTP headers. Accidentally mapping API keys, tokens, or PII exposes them to every load balancer, proxy, and log in the path.
- New attack surface #5 — Stored XSS via MCP Apps: interactive panels (forms, dashboards) are now a first-class protocol extension. An attacker can store malicious HTML/JS through a tool that runs when another user or agent views the content.
- New attack surface #6 — "Hit-and-run" DoS: long-running tasks cost the client almost nothing to spawn but consume server CPU, memory, and storage. An attacker sends one request to start an expensive operation and immediately disconnects.
Why It Matters
MCP has become the de facto standard for connecting AI agents to business tools. This specification change affects every organization running MCP servers in production. The protocol is removing guardrails it used to enforce and delegating them to implementation quality — meaning a poorly built MCP server under the new spec is arguably worse off than under the old one, because the attack surface is larger and the security bar is higher. Teams have a 12-month deprecation window, but the new attack vectors exist the moment a server implements the spec.
What to Do
- Audit every MCP server you operate for predictable tracking IDs, unvalidated state objects, and unsigned metadata acceptance. Treat client-supplied state as untrusted.
- Review x-mcp-header mappings — ensure no API keys, tokens, or PII are mapped to HTTP headers.
- Implement header/body consistency checks to prevent desync attacks. Validate that Mcp-Method and Mcp-Name headers match the JSON-RPC body.
- Sandbox MCP Apps with strict CSP headers and treat rendered content as untrusted HTML.
- Rate-limit and resource-cap long-running tasks. Require authentication before task creation and enforce per-tenant concurrency limits.
- Start migration to MCP 2026-07-28 now — the 12-month window will pass faster than expected, and the new attack surfaces are live from day one of implementation.