Fetching from the wire…
Public story · 2026-07-17 · high
It closes off session-hijack and confused-deputy attacks that come from trusting a connection once and never checking it again.
Why now: AAIF published its rundown of the maturing MCP spec on July 17.
MCP's spec pushes every request to carry its own authorization context, replacing a session trusted once at connect time and never checked again, per AAIF. That closes off a class of attack for anyone self-hosting an MCP server: session hijacking, where a stolen connection rides on trust nobody re-checks. It also closes off confused-deputy attacks, where a server acts on a request without confirming who actually authorized it.
The effect: a gateway sitting in front of an MCP server can check policy on every call, not just once at the door.
AAIF's post doesn't say how existing servers migrate, or when session-trust support actually goes away. It just states the direction: per-request checks, not session trust, going forward.
The spec change is the easy part. The harder problem is every self-hosted MCP server that already trusts a session past the handshake. That trust doesn't get safer just because the spec moved on. Building a new server around per-request checks from day one is far cheaper than ripping session trust out of a dozen live integrations later.
Each link below shares sources, entities, or timing with this story.
Goose built by AAIF / Shared entities / Earlier coverage / Tension
Linked by a graph relationship (Goose built by AAIF); both cover AAIF, MCP; earlier AAIF coverage from 2026-02-23.
Claude Code uses MCP / Shared entity: MCP / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Claude Code uses MCP); both cover MCP; overlapping topics (context, server).
Anthropic released MCP / Shared entity: MCP / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Anthropic released MCP); both cover MCP; overlapping topics (auth, server).
Linked by a graph relationship (Anthropic released MCP); both cover MCP; overlapping topics (context, server).
Cursor uses MCP / Shared entity: MCP / Shared topic / Earlier coverage / Tension
Linked by a graph relationship (Cursor uses MCP); both cover MCP; overlapping topics (class, server).
Anthropic released MCP / Shared entity: MCP / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover MCP; overlapping topics (authorization, check, server).
MCP deprecates Roots / Shared entity: MCP / Shared topic / Earlier coverage
Linked by a graph relationship (MCP deprecates Roots); both cover MCP; overlapping topics (call, server, session).
Anthropic released MCP / Shared entity: MCP / Shared topic / Earlier coverage
Linked by a graph relationship (Anthropic released MCP); both cover MCP; overlapping topics (auth, authorization, server).