MCP's Enterprise Rewrite Draws Security Fire, 15 Days to July 28

<p>Security researchers warn the stateless <strong>2026-07-28 MCP spec</strong> widens the agent attack surface even as it simplifies deployment, sharpening a 15-day migration list: drop <em>Mcp-Session-Id</em> state, expose RFC 9728 metadata, and stand up OAuth 2.1. Meanwhile LangChain's data shows adoption outrunning evaluation — 57% of teams run agents...

Highlights signal board

  • countdown15d
  • signals03
  • sources06
  • watch02
  • Security researchers are now warning that the enterprise-ready 2026-07-28 MCP spec — stateless core, OAuth alignment, server-rendered UIs — widens the agent attack surface even as it simplifies deployment. (SecurityWeek)
  • With 15 days to the July 28 final spec, the production migration list has sharpened: drop Mcp-Session-Id state, expose RFC 9728 protected-resource metadata, and move tool schemas to full JSON Schema 2020-12. (MCP Blog)
  • LangChain's State of Agent Engineering data lands the counterweight to the hype: 57% of teams report agents in production and 89% run observability, but only 52% run evals — a governance gap operators are shipping into. (LangChain)
  • Amazon's Bedrock AgentCore Harness is now generally available, letting teams declare an agent's behavior and hand orchestration to the managed runtime. (AWS)

Key Signals ranked scan

  1. The MCP overhaul is now a security story, not just a migration story

    this week

    Trade coverage from SecurityWeek and SC Media flags that the stateless redesign — no handshake, no session ID, any request hits any instance — removes session-level assumptions that many gateways and auth layers quietly relied on. (SecurityWeek, SC Media) The fix ships in the spec itself: OAuth 2.1 with Protected Resource Metadata (RFC 9728) and a .well-known/oauth-protected-resource endpoint become the expected posture for any server accepting remote connections. (WorkOS)

  2. The 15-day migration checklist is concrete

    MCP Blog, release candidate

    Servers still leaning on sticky sessions or a shared session store can move to a plain round-robin load balancer once state is passed as explicit tool arguments instead of via Mcp-Session-Id. Teams should also add ttlMs to tools/list responses and migrate experimental Tasks to the new lifecycle before the final publication on July 28. (MCP Blog)

  3. Adoption is outrunning evaluation

    LangChain

    LangChain's engineering survey shows observability adoption (89%) far ahead of eval adoption (52%), with 57% of respondents already running agents in production. (LangChain) For platform owners, that gap is the operational risk to name: teams can see what their agents did, but far fewer can prove whether it was correct.

Why It Matters / What To Watch operator watch

  1. Treat the MCP cutover as a security review, not a version bump

    • Audit every place your server reads or writes state keyed to Mcp-Session-Id, then replace it with client-passed handles before removing sticky routing. (MCP Blog)
    • Stand up OAuth 2.1 and the RFC 9728 metadata endpoint now — unauthenticated remote servers are the exposure researchers are calling out. (SecurityWeek, WorkOS)
  2. Close the eval gap while you tighten governance

    • If your agents are in production but not under eval, that is the 48% blind spot from LangChain's data — wire evals into CI before the next framework upgrade regresses a prompt. (LangChain)
    • Watch the managed runtimes converging on the same promise: AgentCore Harness (declare behavior, delegate orchestration) is the pattern to benchmark first-party frameworks against. (AWS)

Quick Links sources