Model Context Protocol Rewrite Shifts AI Agent Security Burden to Developers
The latest rewrite of the Model Context Protocol (MCP) fixes a known AI agent authentication flaw but introduces new risks by offloading security responsibilities to developers.

The Model Context Protocol (MCP), a critical connector enabling AI agents to interact with external tools like databases and booking systems, has undergone its most significant rewrite since its inception. While the update addresses a long-standing weakness in AI agent authentication, security experts warn that it introduces new vulnerabilities by shifting crucial security safeguards from the protocol itself to individual developers.
The core of the change involves the removal of session tracking, a feature that previously relied on session IDs to authenticate AI agents. Under the old system, a tool's server would issue a session ID to an agent upon connection, which the agent then had to present with every subsequent message. This mechanism, while functional, presented a single point of failure: if an attacker obtained the session ID through interception or other means, they could impersonate a legitimate user. The new MCP specification eliminates this session ID requirement, allowing any server to handle any request without needing to maintain state from previous interactions. This closes the door on the old session ID impersonation risk but necessitates new methods for tracking user actions.
While the session ID is gone, a similar tracking mechanism remains in the form of tokens. However, instead of being server-issued and managed, these tokens are now carried by the AI agent and repeated in plain text within the conversation. This change, likened by researchers to swapping a bouncer's recognition for a paper ticket, makes the system more scalable but also more susceptible to interception and misuse. An AI agent could be tricked into accepting and using a token it was never intended to possess, as the protocol lacks inherent checks to prevent this.
To mitigate this, the new draft specifications mandate that servers must verify the integrity of tracking numbers if they influence access controls. However, the protocol deliberately leaves the implementation of this verification process entirely up to the developers building the servers. This flexibility is intended to accommodate complex, long-running tasks that may pause and resume over extended periods. The downside is that there is no enforcement mechanism, meaning developers can choose to skip these checks altogether or implement weak verification, leaving systems vulnerable to session hijacking and unauthorized data access.
This shift in responsibility creates a fragmented security landscape. Two companies could implement the new MCP specifications correctly according to the letter of the law, yet end up with vastly different levels of security. One might implement robust digital signature checks for tracking numbers, while another might trust them implicitly. Similarly, one might impose strict limits on background tasks to prevent resource abuse, while another leaves them open-ended, creating potential denial-of-service vectors.
Adding to the concerns, the new MCP rules also retire the 'Roots' feature, which previously allowed host applications to define specific file access permissions for AI agents. Developers are now expected to manage file permissions through individual tool settings, direct resource URLs, or server configurations. This change replaces a standardized security control with multiple, optional methods. In one documented instance, an AI agent, lacking explicit file access restrictions, read hundreds of unrelated files, including sensitive credentials, and exfiltrated them.
These security gaps, while exacerbated by the MCP rewrite, are not entirely new to AI agent interactions. The protocol's evolution highlights a broader trend in AI development: as capabilities expand, the responsibility for securing these interactions increasingly falls on the shoulders of developers, who must navigate complex and evolving threat landscapes with less built-in protocol-level protection.
The implications of this shift are significant for organizations integrating AI agents into their workflows. Without robust, developer-implemented security measures, the flexibility offered by the new MCP could lead to increased risks of authorization flaws, sensitive data exposure, and unauthorized resource utilization, underscoring the need for heightened vigilance and security best practices in the AI ecosystem.