[Week of April 27] — MCP Has a Security Problem. Here's What It Means for Builders.

WHAT I'M THINKING ABOUT

We've been building heavily with MCP at PowerMyFitness — it's core to how I think about agentic product infrastructure. So this week's disclosure landed hard: a critical design vulnerability in the Model Context Protocol affects 150 million downloads and 7,000+ exposed servers. We're talking arbitrary code execution, exposed API keys, internal database access. This isn't a fringe edge case. At Freedom Forever, I watched enterprise teams adopt new infrastructure with zero security discipline, every single time — and it always caught up with them. If your team is building with MCP right now: audit your servers, restrict your surface exposure, and don't let the speed of iteration outpace the risk of what you're connecting.

WHAT CAUGHT MY EYE

• Cloudflare published a reference architecture this week for enterprise MCP deployments — directly addressing the security and governance gaps surfaced by recent vulnerabilities. If you're scaling agentic workflows, bookmark this. infoq.com/news/2026/04/cloudflare-mcp

• Jack Dorsey explicitly attributed Block's 4,000-person layoff to AI — the first major, public AI-attributed workforce reduction at this scale. Enterprise SaaS leaders: your teams are watching how you frame this conversation. What's your narrative? coaio.com

• New research: 94% of PMs use AI regularly. Only 28% use it for prototyping. Wide adoption, shallow depth. Worth sitting with.

ONE THING

The real moat in 2026 isn't roadmap throughput — it's how fast your org updates its beliefs and ships a different answer. AI has made it trivially easy to clone surface-level product features in weeks. The defensible edge is organizational: do you notice what's changing faster than your competitors do? Build your feedback loops like they're a product feature. That's the question I'm measuring my teams against right now.

— Nick