The Model Context Protocol is getting its biggest update yet, and while it fixes several long-standing security issues, it also introduces fresh challenges for developers to wrestle with.
The MCP 2026-07-28 specification, due next month, removes protocol-level risks like stateful initialization and server-initiated prompts. It also mandates OAuth 2.1 for better authentication. That’s the good news.
The bad news: the shift to a stateless, cloud-native architecture means developers now bear more responsibility for security. Akamai researchers identified several new attack surfaces that emerge from the redesign.
First, client-held state objects can be manipulated by attackers to hijack workflows or access unauthorized data. A new _meta object in the spec could let attackers inject malicious key-value pairs for privilege escalation. Mismatches between HTTP headers and JSON-RPC bodies might bypass security controls, and mapping sensitive data into HTTP headers risks exposing secrets.
There’s also a denial-of-service vector dubbed “hit-and-run” task abuse, where attackers trigger expensive operations that eat up server resources without any user interaction. And MCP Apps introduce cross-site scripting risks that could enable deceptive content and data phishing inside AI applications.
The bottom line: MCP security now depends almost entirely on how developers implement it. Client-supplied data must be treated as untrusted, cryptographic verification is essential, and resource quotas need to be enforced.
