Akamai Report Details MCP Security Weaknesses
Security Boulevard, Tuesday, June 23rd, 2026
Akamai finds the new MCP specification removes old risks but opens fresh attack surfaces for developers.
An Akamai report on the upcoming MCP 2026-07-28 specification finds the overhaul removes longstanding protocol-level risks but introduces new attack surfaces.
It eliminates stateful initialization and server-initiated prompts and mandates OAuth 2.1, removing session hijacking via the Mcp-Session-Id header.
New risks include state object manipulation through predictable tracking IDs and unsigned metadata injection via the _meta object enabling privilege escalation or cross-tenant access.
Header-based desync attacks exploit mismatches between MCP HTTP headers and the JSON-RPC body, while sensitive data can leak into headers.
MCP Apps add stored XSS risk and long-running tasks create a denial-of-service vector.