# MCP Is Evolving From a Single-User Server to an Enterprise-Ready Platform — Companies Have 12 Months to Prepare
The Model Context Protocol (MCP), originally introduced by Anthropic in 2024 as a local, single-user AI integration tool, has rapidly become the de facto standard for connecting AI agents to business tools. Now, it is undergoing a fundamental transformation that will reshape how enterprises deploy AI at scale.
On July 28, 2026, MCP will transition to a new version — **MCP 2026-07-28** — establishing a 12-month deprecation window for legacy versions. The new specification introduces a platform capable of supporting enterprise-scale, cloud-native deployments, marking a significant departure from its single-user origins.
“The headline change is that MCP is now stateless at the protocol layer. Six Specification Enhancement Proposals (SEPs) work together to get there,” announced the Model Context Protocol Blog while publishing the release candidate on May 21, 2026.
“The release candidate is locked as of May 21, 2026. The final specification will be published on July 28, 2026. The ten-week window is for SDK maintainers and client implementers to validate the changes against real workloads.”
## Security Gains and New Attack Surfaces
Akamai is among the companies that have analyzed the new specification ahead of the July 28 launch. Its findings paint a nuanced picture: while the protocol eliminates several classes of vulnerabilities, it simultaneously introduces new areas where security depends heavily on implementation quality.
On the positive side, improvements include the elimination of session hijacking, the prevention of unsolicited server-initiated prompts, and stronger authentication standards. However, the shift to a stateless architecture introduces subtle new security challenges.
“In the real world, AI interactions aren’t always a simple ‘one-and-done’ conversation; they often require a back-and-forth chain of events,” Akamai noted in its analysis. Rather than permanent sessions, the new version introduces tracking identifiers and state objects that the server hands to the client. Akamai identified three key concerns around potentially predictable IDs: hijacking an active workflow, accessing data belonging to a different agent, and triggering unauthorized cross-tenant actions.
## New HTTP Headers Bring New Risks
The updated specification introduces MCP-specific HTTP headers, such as MCP-Method and MCP-Name, which bring two new risk categories. The first is protocol confusion (Desync) attacks. The second is data leakage via the x-mcp-header.
“If developers accidentally map sensitive inputs like API keys, tokens, or PII, those secrets are pushed straight into the headers,” Akamai warned. “Once there, they become visible to every load balancer, proxy, and logging system along the path.”
## Browser-Level Threats and DoS Vectors
Akamai flagged two additional areas of concern. First, while MCP Apps becoming a first-class protocol extension improves the user experience, it also introduces traditional web browser risks, such as stored cross-site scripting (XSS).
Second, “The introduction of long-running tasks creates a massive denial-of-service (DoS) vector that relies on one-way interactions.” Task creation is cheap for the client but resource-intensive for the server. “An attacker can send a single request to spawn an expensive operation — consuming CPU, memory, or database storage — and immediately disconnect.”
## Shifting Security Responsibility
Critically, it is not the MCP protocol itself that is becoming more vulnerable. Rather, it is the attack surface of MCP servers built on top of the new specification that is expanding.
Maxim Zavodchik, senior director of threat research at Akamai, explained how he expects the new enterprise-level MCP to affect security teams. “Since the protocol is transitioning to a stateless model and introducing rich UI apps and asynchronous tasks, critical security boundaries are now entirely dependent on how developers implement them.”
This means enterprises will now bear greater responsibility for the security of their MCP servers. “While the update improves the foundation by eliminating older protocol-level risks, implementation choices will now dictate the overall security posture.”
Those choices are susceptible to various implementation flaws. Specific areas highly prone to such flaws can lead to “workflow hijacking and cross tenant access; privilege escalation and secrets leakage; header/body inconsistencies that bypass security controls; hit and run DoS attacks against long running tasks; and malicious script execution and phishing through insecure UI panels.”
## A Fundamental Shift in Security Ownership
Akamai summarized the situation succinctly: “The changes are not simply incremental improvements. They fundamentally reshape where security responsibilities reside.” Security decisions that were previously enforced by the protocol are increasingly delegated to MCP server developers and platform operators.
The advantage — and indeed the necessity — of having an enterprise-grade rather than single-user MCP is clear. But there is much for in-house development and security teams to learn, understand, and implement over the next 12 months to ensure these deployments remain secure in the cloud-native era.
—
*This article was written based on an original post from [SecurityWeek](https://www.securityweek.com/).*
