
The TL;DR
MCP spent the past year gaining neutral governance, native cloud support, and its first federal security review. Each development strengthened the ecosystem, but none fully resolved the governance, visibility, and security gaps created by rapid adoption.
-
• Anthropic Handed Off Governance
Anthropic transferred MCP to a neutral foundation, reducing dependence on a single vendor. Major cloud providers followed with native support, turning MCP from an experimental protocol into shared infrastructure for production AI systems.
-
• Nobody Agrees on the Server Count
The official MCP registry and community-maintained directories report very different totals. That gap makes it difficult to measure adoption, identify abandoned servers, and understand how much of the ecosystem is actively maintained or secure.
-
• Federal Guidance Arrived Late
Federal security guidance appeared after MCP had already spread across production environments. It also arrived as a new framework allowed some capabilities to bypass the normal specification review process, a gap researchers had already shown could create real security risk.
Model Context Protocol connects AI models to the tools, data, and services they need to do real work, and it has become the standard most of the industry builds agents against. That status is new. A year ago, MCP was a single-vendor project with a handful of reference servers.
Keeping up with what changed since then means untangling three spec releases, a governance transfer, and a stream of vendor and agency announcements, each accurate on its own and easy to misread out of order.
This article walks you through the MCP evolution from 2025 to 2026, the progress that happened, the updates that came, and the insights behind them. If you need the basics first, our complete guide to Model Context Protocol covers the client-server model everything below assumes.
What the 2025 Spec Releases Actually Shipped
MCP shipped three dated spec revisions in 2025, each adding capability the previous version lacked. Reading the vendor coverage in order matters here, since features from different releases regularly get lumped together in secondary write-ups.
March 2025: Streamable HTTP and Industry Adoption
The 2025-03-26 release changed both how MCP servers communicate and who was willing to build on them.
- Streamable HTTP: Replaced the original HTTP+SSE transport with a single endpoint that works behind standard load balancers and proxies instead of requiring long-lived connections.
- OAuth 2.1 authorization: Added a full authorization framework where none had existed before.
- Tool annotations. Let a tool declare itself read-only or destructive, so a client can enforce policy around it.
- JSON-RPC batching: Added support for batching requests, which the June release later removed.
That transport change is what made the next two weeks possible.
- OpenAI, late March 2025: Adopted MCP across its Agents SDK, Responses API, and ChatGPT desktop app, a rival building support for a competitor’s protocol.
- Google DeepMind, April 9: Confirmed MCP support for Gemini.
Multiple outlets called the March release MCP’s inflection point, and the timing backs that up. A protocol built mainly for local stdio connections gained a transport designed for hosted, multi-tenant servers in the same month two of Anthropic’s biggest competitors started building on it.
June 2025: Authorization and Structured Data
The 2025-06-18 release tightened how MCP handles identity and credentials:
- OAuth Resource Server classification: MCP servers now identify themselves as OAuth Resource Servers, so a client can verify which server a token is actually meant for.
- RFC 8707 Resource Indicators: Clients must implement Resource Indicators, so a token minted for one server can’t be reused against a different one.
- Elicitation: Servers can pause mid-task to request structured input from a user instead of failing or guessing at what’s missing.
- Expanded
_metaand a newcontextfield. Completion requests can now carry previously resolved variables back to a client.
November 2025: Async Work and Safer Input
The 2025-11-25 release, timed to MCP’s first anniversary, added three capabilities production deployments were missing:
- Async Tasks: Any request can now return a task handle instead of blocking, moving through states like
working,input_required,completed,failed, andcancelled. - URL-mode elicitation: A server can send a user to complete an OAuth or payment flow in their own browser instead of collecting credentials inside the client.
- Sampling with tools: A server can request an LLM completion that includes tool definitions, which is what makes server-initiated agent loops possible.
MCP Registry Growth and Server Quality
The official MCP Registry launched in preview on September 8, 2025, between the two spec releases above. From there, the count depends entirely on who’s counting:
- The official registry: roughly 2,000 server entries by MCP’s first anniversary in November 2025, a 407% increase from September. A May 24, 2026 pull of the registry’s own API counted 9,652 latest server records and 28,959 total server-and-version records, close to Anthropic’s own December 2025 figure of more than 10,000 active public servers.
- Third-party directories: mcp.so listed 20,222 servers as of April 2026, and Glama’s index sat close to 20,000 around the same period.
The gap between those two numbers exists because a registry entry and a maintained product are different things. A weekend project, a fork of that project, and a demo that no longer runs each count as one server in a directory tally, and a large share of any directory’s total is exactly that.
Filtering a 20,000-entry directory by hand costs more time than it saves once you actually need a small number of servers you can depend on. Our own rundown of essential MCP servers for 2026 picks from what’s maintained rather than what’s merely listed, and a gateway like MCP360 works the same way in practice: one integration exposes a curated catalog through the search_tools and execute_tool meta-tools instead of asking you to vet each server’s registry entry yourself.
MCP Joins the Linux Foundation
A month after that November spec release, the protocol’s ownership structure changed. On December 9, 2025, Anthropic donated MCP to the Agentic AI Foundation, a directed fund under the Linux Foundation, alongside two other founding projects:
- MCP, donated by Anthropic
- goose, an agent framework donated by Block
- AGENTS.md, donated by OpenAI
AWS, Google, Microsoft, Cloudflare, and Bloomberg joined as Platinum members at launch.
The practical effect is narrower than the headline suggests. Anthropic’s own maintainers kept authority over the spec through the same Specification Enhancement Proposal process that governed MCP before the donation. What changed is who owns the infrastructure around that process: event budgets, neutral hosting, and a governance structure that doesn’t depend on one company’s roadmap. For teams building on MCP, this signals that competitors were willing to build on infrastructure none of them individually controlled, which is what the next section shows in practice.
Cloud Providers Add Native MCP Support

Through late 2025 and into 2026, the vendors whose data MCP agents actually need to reach shipped first-party support instead of leaving it to community-built wrappers.
Google Cloud
Google Cloud announced fully managed remote MCP servers on December 10, 2025, one day after the AAIF donation. The first four services covered were BigQuery, Google Maps, Compute Engine, and Kubernetes Engine, all in public preview and backed by IAM authentication instead of API keys.
AWS
AWS took a platform-level approach with Bedrock AgentCore Runtime, which hosts and gateways MCP servers rather than shipping one server per service. The standalone AWS MCP Server reached general availability on May 6, 2026.
Microsoft Azure
Azure MCP Server took a different shape again, exposing more than 40 individual tools across compute, storage, databases, and DevOps behind a single server rather than splitting each service out.
Red Hat
Red Hat targeted the deployment problem instead of the tool coverage problem. OpenShift AI 3.4 added an MCP catalog in developer preview, pairing curated, vulnerability-scanned server images with an MCP gateway that handles identity-aware routing and per-tool metrics. That answers a question the public registry doesn’t: whether a given server is safe to run against production infrastructure.
Multi-Agent Frameworks Adopt Native MCP Support
The frameworks developers actually build agents in caught up to the spec over the same stretch.
Microsoft Agent Framework 1.0 went GA on April 3, 2026, merging AutoGen and Semantic Kernel into one SDK with MCP support built in rather than bolted on.
Google’s Agent Development Kit ships native MCP support through its McpToolset, letting an ADK agent consume any MCP server without a separate adapter layer.
What’s changed underneath these frameworks is the division of labor. MCP handles how one agent reaches its tools. A separate protocol, A2A, handles how agents hand work to each other, and it sits under the same Agentic AI Foundation governance as MCP. Our guide to building production multi-agent workflows with MCP and A2A covers how the two fit together, and where teams actually need both.
MCP Security Updates and Government Guidance
By the time MCP turned one year old, researchers had found a critical remote code execution flaw, mapped weak authentication across thousands of live servers, and traced two production incidents back to the protocol’s trust model.
What Researchers Found in 2025
- CVE-2025-49596, rated 9.4 on the CVSS scale, showed that unauthenticated MCP Inspector instances could be tricked into executing arbitrary commands.
- Astrix Research’s analysis of 5,200 public MCP servers found that 88% required credentials to operate, and of those, 53% relied on long-lived static secrets like hard-coded API keys rather than OAuth, which only 8.5% of servers used.
- Separate research counted 492 publicly exposed MCP servers lacking basic authentication or encryption entirely.
The OWASP MCP Top 10 project launched in direct response to findings like these.
Two Incidents That Made the Risk Real
In June 2025, Asana’s MCP integration bled customer data between tenants due to a multi-tenant access control bug. Around the same time, a Supabase agent running with elevated database access processed a support ticket containing embedded SQL instructions and exposed integration tokens in a public thread. Both incidents trace back to the same problem the June 2025 spec release targeted, a server that doesn’t verify who a credential actually belongs to.
What CISA and NSA Did About It
That research pressure reached the federal level in May 2026.
- May 1.CISA, NSA, and cyber authorities from the UK, Australia, Canada, and New Zealand jointly published “Careful Adoption of Agentic AI Services,” the first coordinated multinational guidance for agentic AI systems. It requires agents to carry a verified, cryptographically anchored identity with short-lived credentials rather than the long-lived static tokens Astrix Research found in most MCP deployments.
- May 20.NSA’s Artificial Intelligence Security Center released its first MCP-specific guidance, a 17-page Cybersecurity Information Sheet. It names the same structural issue already covered here, that MCP inverts the usual trust direction by letting servers query and act on a client’s behalf, which makes attack paths harder to trace than a conventional API call. The guidance recommends a filtering outgoing proxy or enterprise DLP for external MCP connections, message signing with replay protection, and scanning local networks for MCP listeners nobody remembers standing up.
What Ships July 28, 2026
The change most current coverage of MCP hasn’t caught up to yet is already locked. The 2026-07-28 spec Release Candidate was finalized on May 21, 2026, with publication targeted for July 28, eighteen days out from today.
The Protocol Drops Sessions
Two changes remove the session model MCP has used since launch:
- The initialize handshake is gone (SEP-2575): Client identity, capabilities, and protocol version now travel in the
_metafield on every request instead of being negotiated once at connection time. - The
Mcp-Session-Idheader is gone (SEP-2567): Any request can land on any server instance without sticky routing or a shared session store.
Two smaller changes support that shift. New Mcp-Method and Mcp-Name headers (SEP-2243) let infrastructure route traffic without inspecting the request body, and list and read results now carry a ttlMs value (SEP-2549) so clients know how long they can cache a tools/list response before re-fetching it.
Extensions Get Formal, Three Primitives Get Deprecated
The same release formalizes an Extensions framework (SEP-2133) that existed only informally in the November 2025 spec, giving extensions their own versioning and a governance track separate from the core protocol. MCP Apps (SEP-1865), which lets a server ship an interactive interface a host renders in a sandboxed frame, becomes the first official extension under that track, alongside a redesigned Tasks extension that anyone who built against the experimental November 2025 Tasks API will need to migrate to.
Roots, Sampling, and Logging move to deprecated status rather than being removed outright. The deprecation policy adopted in this release (SEP-2596) guarantees a minimum twelve-month window before anything currently active stops working, so a server calling roots/list on July 29 gets the same valid response it got the day before.
The Migration Isn’t Urgent Yet
MCP’s maintainers published beta SDKs for Python, TypeScript, Go, and C# on June 29, 2026. Existing 2025-11-25 clients and servers keep working after July 28 without any changes, since the date marks when the spec text becomes final, not a cutover.
The New Spec Trades Old Risks for New Ones
What the new spec doesn’t do is make MCP more secure by default. Akamai’s security research team, reviewing the release candidate ahead of the July 28 date, found that removing the session model closes off session hijacking and the weak-authentication patterns the NSA’s May guidance warned about, but opens three new risks:
- The new
Mcp-MethodandMcp-Nameheaders can leak API keys or tokens into logs and proxies if a developer maps sensitive data into them by mistake. - MCP Apps introduces the kind of stored cross-site scripting risk that comes with any server-rendered interactive interface.
- The Tasks extension creates a denial-of-service path, since starting a task is cheap for a client but resource-intensive for a server.
The pattern holds across this whole piece. Every fix to an old problem in MCP has shipped with a new one attached, and this release is no exception.
Frequently Asked Questions
What is Model Context Protocol?
Model Context Protocol, or MCP, is an open standard that lets AI models connect to external tools, data, and services through a single, shared method instead of a custom integration for each one. Anthropic released it in November 2024, and it has since become the standard most of the AI industry builds agents against, with native support from OpenAI, Google, Microsoft, and AWS.
How does MCP work?
MCP uses a client-server model. An MCP server exposes tools, data, and prompt templates in a standardized format, and an MCP client, usually built into an AI application, connects to that server and calls what it needs. Communication runs over JSON-RPC, either locally over stdio or remotely over Streamable HTTP with OAuth 2.1 authorization.
Why did Anthropic donate MCP to the Agentic AI Foundation?
Anthropic donated MCP to keep the protocol’s governance from depending on one company’s roadmap. On December 9, 2025, MCP moved to the Agentic AI Foundation, a directed fund under the Linux Foundation, alongside Block’s goose framework and OpenAI’s AGENTS.md. AWS, Google, Microsoft, Cloudflare, and Bloomberg joined as Platinum members, signaling competitors were willing to build on infrastructure none of them individually controlled.
What is the MCP Registry, and how many servers does it have?
The official MCP Registry launched in preview on September 8, 2025, and held roughly 9,652 server records by May 2026. Third-party directories like mcp.so and Glama report 20,000 or more, since they count every fork and abandoned demo the curated registry doesn’t. Filtering that many entries by hand takes real time, which is why gateways like MCP360 expose a smaller, maintained catalog instead.
What security risks has MCP faced?
Researchers found a critical remote code execution flaw in MCP Inspector rated 9.4 on the CVSS scale, and a 2025 study of 5,200 servers found most relied on long-lived static secrets instead of OAuth. Real incidents followed, including a data bleed between Asana tenants and an exposed Supabase integration token. The OWASP MCP Top 10 project launched in direct response.
What did NSA and CISA say about MCP security?
NSA’s Artificial Intelligence Security Center released its first MCP-specific security guidance on May 20, 2026, warning that MCP inverts the usual trust direction by letting servers act on a client’s behalf. It recommends message signing, filtering outgoing proxies, and scanning networks for unmanaged MCP listeners. CISA and Five Eyes partners published broader agentic AI guidance weeks earlier. Vendors like MCP360 that carry SOC 2 Type II certification give teams a third-party-verified starting point for evaluating a provider’s controls.
What is MCP Apps?
MCP Apps is the first official extension under MCP’s new Extensions framework, introduced in the July 28, 2026 spec release. It lets a server ship an interactive interface, like a dashboard or form, that a host application renders in a sandboxed frame instead of returning plain text. Security researchers have flagged it as a new cross-site scripting risk to watch.
Which companies support MCP now?
OpenAI adopted MCP across its Agents SDK and ChatGPT desktop app in March 2025, and Google DeepMind confirmed Gemini support weeks later. Google Cloud, AWS, and Microsoft Azure have since shipped native MCP support for their own services, and Microsoft’s Agent Framework and Google’s Agent Development Kit both build it in. Gateways like MCP360 let a team reach many of these integrations through one connection instead of setting up each vendor separately.
Conclusion
MCP Apps shipping as the first official extension under SEP-2133 sets the pattern the next round of MCP capabilities will follow. A capability no longer needs its own dated spec revision to reach production. It needs its own extension repository, its own versioning, and its own maintainers. Some parts of the protocol will keep moving on the twelve-month deprecation clock the July 2026 spec set. Others will move whenever an extension’s maintainers ship, on no fixed schedule at all. Our breakdown of why MCP is becoming the default for AI integration covers the adoption case for why that trade-off is worth making anyway.
Akamai already found real risk in the extensions that shipped with that spec. Header leakage through Mcp-Method and Mcp-Name. Cross-site scripting through MCP Apps’ rendered interface. Denial of service through the redesigned Tasks extension. NSA’s May guidance covered the protocol as it existed before either extension shipped, and nobody has published federal guidance for extensions since.
A year ago, trusting MCP meant trusting one spec that moved on a predictable schedule and got reviewed as a whole. Trusting MCP now means checking each extension on its own, because the next one will ship before anyone outside the team that built it has looked at it closely.
Article by
RajniAI & Tech | Senior Content Writer
Rajni is a senior content writer covering AI agents, automation, and no-code tools. She writes across the AI space, from chatbots and customer support to MCP and agent workflows, focused on how businesses actually put these tools to work.




