The New MCP Specification: What Security Teams Must Prepare For
Akamai Technologies, Thursday, June 25th, 2026
Akamai threat-models the new stateless MCP spec, finding it removes old risks but opens fresh attack surfaces.
Akamai's Security Intelligence Group analyzes the MCP 2026-07-28 specification, the biggest architectural change to the Model Context Protocol since its creation.
The new stateless design eliminates historical risks like protocol-level session hijacking, unsolicited server prompts, and weak authentication.
However, application-managed state, interactive AI interfaces, and long-running async tasks create new vectors including cross-agent workflow hijacking via predictable identifiers, client-controlled metadata manipulation, stored XSS in MCP Apps, and denial-of-service abuse.
The key takeaway is that responsibility for securing these boundaries now shifts entirely to application developers.