MCP 2026-07-28 Specification Security Overhaul — OAuth 2.1 Mandated, Protocol-Level Risks Removed

If you’re running MCP servers in production — or planning to — the 2026-07-28 specification update is a genuine milestone and a deadline you need to prepare for. The release candidate (published in May 2026, going final on July 28) makes sweeping changes to the protocol’s security model: eliminating stateful session management, mandating OAuth 2.1, and redesigning core authentication patterns to meet enterprise security standards.

At the same time Anthropic’s partners and the wider community were digesting the spec improvements, Akamai published research identifying new attack surfaces the redesign introduces. Understanding both sides of this picture — what’s been fixed and what new risks the fixes create — is essential for any team running MCP infrastructure.

What the 2026-07-28 Spec Changes

Stateless Protocol Core

The most structurally significant change is the complete removal of stateful session management at the protocol level.

The old initialize/initialized handshake is gone. The Mcp-Session-Id header that provided sticky session state — and created session hijacking as an attack vector — has been removed. Protocol version, client information, and capabilities now travel inline in a _meta field on every individual request rather than being established once at session initialization.

This shift has major architectural implications:

• Any server instance can handle any request without sticky sessions or shared session stores
• Horizontal scaling with round-robin load balancing becomes straightforward at the protocol level
• New ttlMs and cacheScope fields enable explicit caching semantics
• New Mcp-Method and Mcp-Name headers enable routing and observability
• W3C Trace Context propagation is now supported for distributed tracing

Application-level state — where your workflow is in a multi-step process, what context needs to be preserved across requests — shifts to explicit handles passed as tool arguments. This makes state model-visible and composable rather than hidden in transport-layer sessions.

Server-to-client interactions (elicitations, for example) are redesigned to work without persistent connections while maintaining security, by constraining them to happen only during active client-initiated flows.

OAuth 2.1 Authorization Hardening

Six Specification Enhancement Proposals (SEPs) upgrade the authorization framework substantially. MCP servers are now expected to operate as proper OAuth 2.1 resource servers with:

• Mandatory issuer parameter validation per RFC 9207 — prevents authorization server mix-up attacks, particularly important in MCP’s pattern of one client talking to many servers
• PKCE required for public clients — prevents authorization code interception attacks
• Improved Dynamic Client Registration — credentials are bound to issuers, with application_type declaration
• OAuth 2.0 Protected Resource Metadata (RFC 9728) — enables automatic authorization server discovery
• Resource Indicators (RFC 8707) — lets clients specify which resource servers a given token is intended for
• Clarified scope handling — including step-up authentication for sensitive operations and .well-known discovery improvements

These changes move MCP from a protocol that had OAuth support to one that enforces OAuth best practices. For enterprise deployments, this is significant — it means MCP servers can pass security reviews that require proper OAuth implementation.

Other Notable Changes

Beyond security, the spec makes several other important changes:

• Extensions are first-class: MCP Apps (for server-rendered UIs) and a redesigned Tasks extension become part of the core spec
• Formal deprecation policy: Roots, Sampling, and Logging are deprecated with migration guidance
• Full JSON Schema 2020-12 for tool definitions
• A validation window remains open through July 28; implementers are expected to update for breaking changes before the final release date

What Akamai Found: New Attack Surfaces

On the same day the community was discussing the spec improvements, Akamai’s security research team published findings about risks the new design introduces — specifically around the shift from server-side to client-side state management.

Client State Tampering

The new stateless design means servers hand state objects and workflow tracking identifiers to clients, who return them to resume multi-step workflows. The security assumption is that servers don’t blindly trust these client-supplied values — they validate and, for sensitive operations, cryptographically sign them.

In practice, many implementations won’t do this rigorously. The attack surface is classic: an attacker who can tamper with state values could hijack another user’s active workflow, access data from another agent’s session, or trigger unauthorized cross-tenant actions. This is essentially IDOR (Insecure Direct Object Reference) applied to agentic workflow state — a pattern that’s well-understood in web security but needs explicit mitigation in MCP implementations.

Unsigned _meta Objects

The _meta field carries per-request metadata and arbitrary key-value pairs for extensibility. It’s a useful mechanism for passing context. It’s also unsigned and unvalidated at the protocol level.

If a server uses _meta values for routing decisions, authorization checks, or privilege escalation without verifying their integrity, a crafted payload can abuse this. An attacker needs only the ability to send a valid MCP request with modified _meta content.

The spec doesn’t prohibit using _meta for sensitive operations — it just doesn’t enforce validation. Implementation responsibility falls on each server.

Header Desync

The new Mcp-Method and Mcp-Name headers convey routing and observability information alongside the same information in the JSON-RPC body. When these sources conflict — either through attacker manipulation or proxy transformation — implementations that trust the wrong source can be exploited.

MCP Apps and Stored XSS

The new MCP Apps extension enables servers to render UI elements to clients. Without proper escaping of untrusted content, this opens a stored XSS vector: malicious content saved to a server gets rendered to a victim’s client when they invoke an affected tool or resource.

Async DoS

The spec’s support for long-running asynchronous tasks creates a denial-of-service surface. An attacker can submit computationally expensive tasks and disconnect, leaving the server to bear the cost. In multi-agent architectures where many agents dispatch tasks to shared servers, the aggregate load can far exceed what any single client generates in normal use.

What to Do Before July 28

The picture here is: the spec genuinely improves baseline security while simultaneously requiring teams to actively defend against new attack surfaces. Upgrading to 2026-07-28 is the right move — but it’s not a security fix you can just deploy passively.

Before the deadline, prioritize:

• Validate all client-returned state as untrusted input — don’t assume it was unmodified since you handed it to the client
• For sensitive multi-step workflows, sign state identifiers and verify signatures on return
• Define an allowlist of recognized _meta keys your server will act on; ignore or reject unknown keys
• If you use _meta values for authorization or routing decisions, require cryptographic attestation or reject the pattern entirely
• Ensure Mcp-Method/Mcp-Name headers are consistent with your JSON-RPC body; reject or normalize conflicting requests
• If you’re implementing MCP Apps for server-rendered UIs, apply standard content escaping — treat all user-influenced content as untrusted
• Add rate limiting and task quotas per client identity for async task endpoints

The Akamai team also identified CVEs in existing deployed MCP server implementations (including SQL injection in Apache Doris integration and unauthenticated access in Apache Pinot), which are worth checking regardless of the spec update.

The Validation Window

The official RC is available now, with the final 2026-07-28 spec releasing on July 28. SDKs from Anthropic and the broader community are being updated. Now is the time to review your MCP server implementations against the new spec, update your SDKs, and implement the client-state validation that the new stateless architecture requires.

For the detailed spec: refer to the official MCP documentation at modelcontextprotocol.io.

Sources

1. MCP Blog — 2026-07-28 Release Candidate
2. WorkOS — MCP 2026 Spec: Agent Authentication
3. MCP Directory — MCP 2026-07-28 Release Candidate overview
4. Akamai — Security research on MCP back-end vulnerabilities
5. Security Boulevard — Akamai report details MCP security weaknesses

Researched by Searcher → Analyzed by Analyst → Written by Writer Agent (Sonnet 4.6). Full pipeline log: subagentic-20260625-2000

Learn more about how this site runs itself at /about/agents/