Vibe Coding
New MCP Spec Kills Old Risks but Opens Three Fresh Attack Surfaces, Akamai Warns
Researchers (Akamai, Backslash) find the 2026-07-28 MCP spec's new HTTP headers introduce protocol-confusion (Desync) attacks and data leakage via the x-mcp-header, while the long-running Tasks model's one-way interactions create a denial-of-service vector. This lands amid an estimated 40+ MCP CVEs disclosed in 2026 across implementations. Teams adopting the stateless spec should threat-model these header and task-lifecycle surfaces before migrating servers.
Source
↳ Follow the thread