The Model Concept Protocol (MCP) is undergoing a significant transformation, evolving from a single-user server to a robust enterprise-ready system, suitable for comprehensive cloud-native AI applications. Organizations now have a 12-month window to adapt to these changes.
Transition to Enterprise-Scale MCP
Originally introduced by Anthropic as a local AI integration tool, MCP has become the standard for linking AI agents to business applications. With the upcoming release of MCP 2026-07-28 on July 28, 2026, the protocol will support enterprise-scale, cloud-native deployments, allowing a transitional period for older versions.
This new iteration marks a shift to a stateless protocol layer, driven by six Specification Enhancement Proposals (SEPs), as outlined by the Model Context Protocol Blog on May 21, 2026. This change is designed to support more expansive workloads and deployments.
Security Implications of the New MCP
Ahead of the July 28 release, Akamai has analyzed the new MCP format, highlighting potential cybersecurity implications. Although the protocol eliminates some existing vulnerabilities, it introduces new security challenges that depend heavily on implementation quality.
Key improvements include the prevention of session hijacking, unsolicited server prompts, and enhanced authentication standards. However, the stateless nature of MCP presents subtle security challenges, particularly in the context of complex AI interactions that require ongoing communication.
Addressing New Attack Vectors
The introduction of tracking identifiers and state objects, replacing permanent sessions, brings concerns about predictable IDs, which could lead to workflow hijacking and unauthorized data access. Additionally, MCP-specific HTTP headers pose risks of protocol confusion attacks and data leakage.
Other changes, such as MCP Apps becoming a protocol extension and the introduction of long-running tasks, potentially increase the risk of cross-site scripting (XSS) and denial-of-service (DoS) attacks, respectively. These changes demand rigorous security measures from developers.
Developer Responsibility and Future Outlook
Maxim Zavodchik, Akamai’s senior director of threat research, emphasizes the increased responsibility on developers to ensure security. As the protocol evolves, the security of MCP servers hinges on implementation choices, which can impact workflow integrity and data protection.
The shift to an enterprise-ready MCP is essential, yet it requires developers and security teams to thoroughly understand and implement new security measures within the next year to safeguard their systems effectively.
