MCP is evolving from a single-user server to an enterprise-ready server fit for expanded cloud-native AI usage. Companies have 12 months to get ready.
The model concept protocol (MCP) began life as a local, single-user AI integration tool. It was introduced by Anthropic in 2024 and has since become the de facto standard for connecting AI agents to business tools.
On July 28, 2026, it will transition to a new version: MCP 2026-07-28, allowing a 12 month deprecation window for legacy versions. The new MCP introduces a platform able to support enterprise-scale, cloud-native deployments.
“The headline change is that MCP is now stateless at the protocol layer. Six Specification Enhancement Proposals (SEPs) work together to get there,” announced the Model Context Protocol Blog while publishing the release candidate on May 21, 2026.
“The release candidate is locked as of May 21, 2026. The final specification will be published on July 28, 2026. The ten-week window is for SDK maintainers and client implementers to validate the changes against real workloads.”
Akamai is one of the firms that has studied the new format ahead of the July 28 launch and describes its own conclusions in a blog report. For cybersecurity, “While the protocol removes several classes of vulnerabilities, it also introduces new areas where security depends heavily on implementation quality,” reports Akamai.
Improvements include an end to session hijacking; the prevention of unsolicited server-initiated prompts; and stronger authentication standards. But at the same time, new attack surfaces are introduced.
The headline change is that MCP is now stateless. This, suggests Akamai, “introduces subtle security challenges. In the real world, AI interactions aren’t always a simple ‘one-and-done’ conversation; they often require a back-and-forth chain of events.”
Rather than permanent sessions, the new version introduces tracking identifiers and state objects that the server hands to the client. Akamai lists three concerns over any potentially predictable IDs: hijacking an active workflow, accessing data belonging to a different agent, and triggering unauthorized cross-tenant actions.
The new specification also introduces MCP-specific HTTP headers (such as MCP-Method and MCP-Name. This brings two new risks: protocol confusion (Desync) attacks, and data leakage via x-mcp-header. In the latter, Akamai warns, “If developers accidentally map sensitive inputs like API keys, tokens, or PII, those secrets are pushed straight into the headers. Once there, they become visible to every load balancer, proxy, and logging system along the path.”
Akamai notes two other changes that have potential attack surface concerns. Firstly, while MCP Apps becoming a first-class protocol extension will improve the user experience, it will also introduce traditional web browser risks, such as stored cross-site scripting (XSS).
Secondly, “The introduction of long-running tasks creates a massive denial-of-service (DoS) vector that relies on one-way interactions.” Task creation is cheap for the client, but resource hungry for the server. “An attacker can send a single request to spawn an expensive operation (consuming CPU, memory, or database storage) and immediately disconnect.”
Importantly, it is not the MCP protocol itself that is becoming more vulnerable; rather, it is the attack surface of MCP servers built on top of the new specification that is expanding.
Maxim Zavodchik, senior director of threat research at Akamai, told SecurityWeek how he expects the new enterprise-level MCP to affect security teams. “Since the protocol is transitioning to a stateless model and introducing rich UI apps and asynchronous tasks, critical security boundaries are now entirely dependent on how developers implement them.”
Enterprises will now have greater responsibility for the security of their MCP servers. “While the update improves the foundation by eliminating older protocol-level risks, implementation choices will now dictate the overall security posture.”
Those choices are susceptible to various implementation flaws Specific areas that are highly prone to such flaws can lead to “workflow hijacking and cross tenant access; privilege escalation and secrets leakage; header/body inconsistencies that bypass security controls; hit and run DoS attacks against long running tasks; and malicious script execution and phishing through insecure UI panels.”
Akamai summarizes, “The changes are not simply incremental improvements. They fundamentally reshape where security responsibilities reside.” Security decisions that were previously enforced by the protocol are increasingly delegated to MCP server developers and platform operators.
The advantage, even necessity, of having an enterprise rather than single-user MCP cannot be denied; but there is much for the in-house developer and security team to learn, understand, and implement over the next 12 months to make it secure.
Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay
Related: Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking
Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks
Related: Anthropic MCP Server Flaws Lead to Code Execution, Data Exposure
Related: Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited
