The Model Context Protocol (MCP) has undergone a significant update, introducing new security challenges for developers and platform operators. The latest version of MCP, set to be released on July 28, 2026, aims to transition from a single-user tool to an enterprise-scale, cloud-native platform.
What Happened
The MCP 2026-07-28 specification removes protocol-level security risks found in earlier versions, such as stateful initialization and server-initiated prompts. However, this shift places greater responsibility on developers and platform operators to implement the new protocol securely. The introduction of a stateless model and MCP Apps, a new extension that allows servers to ship interactive HTML interfaces directly to AI agents, creates new attack surfaces for developers to manage.
Akamai Technologies has studied the new format ahead of the July 28 launch and describes its own conclusions in a blog report. According to Akamai, while the protocol removes several classes of vulnerabilities, it also introduces new areas where security depends heavily on implementation quality. The company lists three concerns over potentially predictable IDs: hijacking an active workflow, accessing data belonging to a different agent, and triggering unauthorized cross-tenant actions.
Background and Context
The MCP was introduced by Anthropic in 2024 as a local, single-user AI integration tool. It has since become the de facto standard for connecting AI agents to business tools. The original specification shipped without a mandatory authentication framework, assuming an implicit trust model where MCP servers were benign.
Security researchers have documented several consequences of this approach, including CVE-2025-49596, which showed that unauthenticated MCP Inspector instances could be exploited to execute arbitrary commands. Invariant Labs demonstrated that a malicious MCP server could silently exfiltrate an entire WhatsApp message history. The Supabase Cursor agent incident in June 2025 highlighted how a privileged agent processing user-supplied support tickets could be tricked into leaking integration tokens through prompt injection.
Why it Matters to the Industry
The update introduces new security challenges for developers and platform operators, who must now treat client-supplied data as untrusted and enforce cryptographic verification. The introduction of MCP Apps creates cross-site scripting risks within AI applications, potentially leading to deceptive content and data phishing.
Akamai notes that the changes are not simply incremental improvements but fundamentally reshape where security responsibilities reside. Security decisions that were previously enforced by the protocol are increasingly delegated to MCP server developers and platform operators. The advantage of having an enterprise rather than single-user MCP cannot be denied, but there is much for in-house developers and security teams to learn, understand, and implement over the next 12 months to make it secure.
What Comes Next
The industry will need to adapt to the new security challenges introduced by the updated MCP specification. Developers and platform operators must prioritize implementing the protocol securely and enforcing cryptographic verification. The introduction of MCP Apps requires careful consideration of cross-site scripting risks and potential consequences for AI applications.
Key Facts
- The MCP 2026-07-28 specification removes protocol-level security risks found in earlier versions.
- The new specification introduces a stateless model, creating new attack surfaces for developers to manage.
- Akamai lists three concerns over potentially predictable IDs: hijacking an active workflow, accessing data belonging to a different agent, and triggering unauthorized cross-tenant actions.
- The introduction of MCP Apps creates cross-site scripting risks within AI applications, potentially leading to deceptive content and data phishing.
- Developers and platform operators must treat client-supplied data as untrusted and enforce cryptographic verification.
The updated MCP specification presents new security challenges for developers and platform operators. As the industry adapts to these changes, it is essential to prioritize implementing the protocol securely and enforcing cryptographic verification to mitigate potential risks and consequences.