Back Issues This Week → Calendar → Current Issue → Popular →

All issuesVolume 339, Issue 4IT Vendor NewsAkamai Technologies

The New MCP Specification: What Security Teams Must Prepare For

Akamai Technologies, Thursday, June 25th, 2026

Akamai threat-models the new stateless MCP spec, finding it removes old risks but opens fresh attack surfaces.

Akamai's Security Intelligence Group analyzes the MCP 2026-07-28 specification, the biggest architectural change to the Model Context Protocol since its creation.

The new stateless design eliminates historical risks like protocol-level session hijacking, unsolicited server prompts, and weak authentication.

However, application-managed state, interactive AI interfaces, and long-running async tasks create new vectors including cross-agent workflow hijacking via predictable identifiers, client-controlled metadata manipulation, stored XSS in MCP Apps, and denial-of-service abuse.

The key takeaway is that responsibility for securing these boundaries now shifts entirely to application developers.

more →  ·  More from Akamai Technologies →