Skip to content
Krypteia Sec
Back to AI Briefs
TLP:CLEARAI-2026-0629

Daily AI Builder Brief - June 29, 2026

Claude Code ships MCP CLI login/logout and Trusted Devices remote-steering gates; next MCP spec RC goes stateless with MCP Apps and Tasks ahead of a July 28 final; fresh MCP supply-chain RCE and a Cursor allowlist-poisoning CVE keep prompt injection the top agent risk.

By The Operator·June 29, 2026·4 min read
aiclaude-codeanthropicmcpbuilder-intel

The Operator's Take

The story today isn't a model, it's plumbing hardening into a control surface. MCP is going stateless at the protocol layer and Claude Code just moved auth into the CLI (login/logout) and gated remote session steering behind verified devices. Read those together: the MCP layer is finally getting the identity and routing primitives it shipped without, and the same week brought fresh supply-chain RCE in MCP servers. If you run agents against third-party MCP, stop treating server trust as a one-time install decision and start treating it like a dependency you audit on every version bump.

Executive Summary

  • Claude Code added mcp login/logout CLI auth plus richer workflow and plugin views (June 27).
  • Trusted Devices now lets Team/Enterprise admins require device verification before anyone views or steers a local session remotely.
  • Build 2.1.195 made hook matchers exact-match (no more accidental substring hits on code-reviewer or mcp__brave-search) and now preserves partial responses on mid-stream connection drops.
  • The next MCP spec release candidate is circulating: a stateless protocol core, MCP Apps (server-rendered UI), a Tasks extension for long-running work, and authorization hardening. Final ships July 28.
  • The public MCP server directory passed 13,000 entries.
  • New MCP supply-chain RCE advisory plus Cursor CVE-2026-22708 (allowlisted commands like git branch weaponized) keep prompt injection the number-one agent risk.
  • Anthropic shipped no new model or platform release inside the 48-hour window; Fable 5 and Mythos 5 remain suspended under the June 12 export-control directive.

Claude Code

MCP CLI auth, plus workflow and plugin views

mcp login/logout land in the CLI alongside richer plugin and workflow surfaces and better background-agent handling. Auth at the CLI means cleaner credential rotation in scripted runs. Release notes

Trusted Devices for remote session steering

Team and Enterprise admins can require members to verify their device before viewing or steering a local Claude Code session remotely. If you fan out agents across machines, this is your new gate. Release notes

2.1.195: exact-match hooks, partial-response recovery

Hook matchers now exact-match, so use mcp__brave-search__.* to catch a hyphenated server's tools. Mid-stream drops preserve the partial response instead of erroring out. Changelog

Anthropic

Nothing new in the window

No model or platform release published in the last 48 hours. The most recent product was Claude Tag (June 23). Standing context that still affects builds: Fable 5 and Mythos 5 stay suspended under the June 12 US export-control directive, so don't pin pipelines to either. Anthropic news

MCP Ecosystem

Next spec RC goes stateless

The release candidate for the next MCP spec is the biggest revision since launch: a stateless core that runs behind plain round-robin load balancers, plus Mcp-Method/Mcp-Name routing headers, cacheable list/read results, MCP Apps, and a Tasks extension. Final lands July 28; the window is for SDK maintainers to validate against real workloads. MCP blog, WorkOS

Broader AI

MCP supply-chain RCE and a Cursor allowlist CVE

An OX Security advisory details RCE across MCP server packages, and CVE-2026-22708 lets attackers poison Cursor's execution environment so allowlisted commands deliver arbitrary payloads. Prompt injection stays OWASP's top LLM risk, which makes agentic red teaming of your MCP surface table stakes. OX Security, Help Net Security

What This Means For Builders

  • Pin and review MCP server versions like any dependency: the postmark-mcp pattern (clean releases, then exfil code) means a trusted server can turn hostile on an update.
  • Don't trust command allowlists as a security boundary. CVE-2026-22708 shows git branch itself can be the payload; sandbox the runtime, don't filter the verb.
  • Plan now for stateless MCP: if your server leans on sticky sessions or a shared session store, the July 28 spec removes that crutch. Move state to the client or a backing store before you migrate.
  • Roll out Trusted Devices before scaling remote agent steering across a team.

Sources

  1. https://code.claude.com/docs/en/changelog
  2. https://support.claude.com/en/articles/12138966-release-notes
  3. https://www.anthropic.com/news
  4. https://blog.modelcontextprotocol.io/posts/2026-mcp-roadmap/
  5. https://workos.com/blog/mcp-2026-spec-agent-authentication
  6. https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/
  7. https://www.helpnetsecurity.com/2026/06/11/owasp-prompt-injection-ai-security-failures/
ΛKrypteia Sec Research·June 29, 2026