The forthcoming update to the Model Context Protocol (MCP) eradicates several legacy security flaws but simultaneously introduces novel challenges for developers and platform operators to manage, according to research from Akamai Technologies.
- Stateful sessions removed, eliminating session ID hijacking risk
- New client-managed state opens potential workflow hijacking avenues
- Unsigned metadata and header inconsistencies risk privilege escalation
What happened
The Model Context Protocol (MCP) is undergoing its largest change since inception, scheduled for release on July 28, 2026. Akamai’s research highlights that this update removes several ingrained security risks by eliminating long-lived, server-managed sessions and adopting mandatory OAuth 2.1 standards with enhanced protections like PKCE. This transition turns MCP from a local single-user tool into a cloud-native, enterprise-scale platform.
The prior architecture’s stateful initialization process, which relied on the Mcp-Session-Id header vulnerable to theft and impersonation, has been replaced with a stateless model. This new model passes tracking identifiers and state objects from server to client and back, which requires developers to validate these inputs meticulously since they originate from the client side.
Why it matters
Although the update strengthens protocol-level security by removing session management risks and tightening server-initiated requests, it simultaneously places more security burdens on developers. Because the protocol no longer enforces session integrity, inadequate validation can expose MCP deployments to workflow hijacking, unauthorized cross-tenant operations, and data leaks.
Additionally, a new _meta object allows clients to attach arbitrary metadata without cryptographic validation, creating potential privilege escalation and cross-tenant access if servers accept unverified metadata for authorization or routing decisions. Coupled with MCP's custom HTTP headers, discrepancies between header and message body values can desynchronize components, allowing malicious payloads to bypass security controls and evade detection.
What to watch next
As MCP Apps gain prominence as first-class protocol extensions—enabling interactive panels like forms and dashboards within AI applications—security scrutiny must increase. Akamai warns of the risk of cross-site scripting vulnerabilities entering the AI ecosystem through these interfaces, raising critical considerations for browser-based security models.
Going forward, the security of MCP deployments will heavily depend on cautious implementation practices, including strong validation of client-provided state objects, rigorous metadata handling protocols, and careful mapping of data to HTTP headers to prevent accidental exposure of sensitive information. Monitoring adoption feedback and emerging threat reports will be vital to understanding how these new attack surfaces are exploited or mitigated.