OWASP LLM Top 10 2026 Changes: What's New, What's Gone, and What's Coming
A practitioner breakdown of the OWASP LLM Top 10 2026 changes — two new threat categories dropped, three proposed additions for 2026, and a companion
The OWASP LLM Top 10 ↗ 2026 changes are arriving in two waves: a published v2.0 update released in 2025 that retired two 2023 categories and added two new ones, and an in-progress 2026 edition now in community survey that proposes three additional threat categories driven by agentic deployments. A separate companion framework — the OWASP Top 10 for Agentic Applications — published independently and addresses the risk layer that emerges when LLMs control tools, memory, and multi-step execution.
This post tracks each confirmed change, what drove it, and what defenders should do differently as a result.
From v1.1 to v2.0: Confirmed Changes in the 2025 Edition
The original OWASP LLM Top 10 v1.1 (2023) reflected an era when LLMs were primarily deployed as chatbots or single-turn API endpoints. The v2.0 edition, published in 2025, redrew the list to reflect two years of real-world exploitation and the rise of RAG pipelines, multi-model orchestration, and production agentic systems ↗.
Two Categories Removed
Insecure Plugin Design (LLM07:2023) and Model Theft (LLM10:2023) were retired. Plugin design risks were not eliminated — they were absorbed. Supply chain (LLM03:2025) now covers third-party plugin and extension integrity, while Excessive Agency (LLM06:2025) covers unconstrained plugin execution. Model theft — unauthorized extraction of proprietary weights — was merged into supply chain concerns, reflecting that model exfiltration typically exploits API access rather than a distinct vulnerability class.
Two Categories Added
System Prompt Leakage (LLM07:2025) is new. Attackers can extract the system prompt through direct elicitation, jailbreak sequences, or by exploiting verbose error output that reflects prompt content. In agentic deployments the system prompt often encodes tool access policies, persona definitions, and backend credential hints — leakage is a lateral movement enabler, not just an embarrassment.
Vector and Embedding Weaknesses (LLM08:2025) is also new, added specifically for RAG architectures. Attackers who can influence the vector store — through poisoned documents, embedding manipulation, or cross-tenant namespace confusion — can redirect retrieval to surface malicious content without touching model weights. As RAG has moved from prototype to standard production pattern, the attack surface has materialized.
Major Reshuffling
Sensitive Information Disclosure moved from sixth to second. The 2025 working group found real-world incidents — including LLMs surfacing PII from training data, returning credentials embedded in context windows, and leaking data across multi-tenant deployments — more prevalent than the original ranking acknowledged.
Training Data Poisoning was renamed Data and Model Poisoning (LLM04:2025) and expanded to cover fine-tuning poisoning and embedding poisoning, not just pretraining data attacks. Model Denial of Service became Unbounded Consumption (LLM10:2025), broadening the category to include cost exhaustion and resource amplification attacks — reflecting that “availability” failures in LLM APIs are as likely to show up as runaway API spend as they are as classic denial-of-service.
The full 2025 list:
| Rank | Entry |
|---|---|
| LLM01:2025 | Prompt Injection ↗ |
| LLM02:2025 | Sensitive Information Disclosure |
| LLM03:2025 | Supply Chain |
| LLM04:2025 | Data and Model Poisoning |
| LLM05:2025 | Improper Output Handling |
| LLM06:2025 | Excessive Agency |
| LLM07:2025 | System Prompt Leakage |
| LLM08:2025 | Vector and Embedding Weaknesses |
| LLM09:2025 | Misinformation |
| LLM10:2025 | Unbounded Consumption |
For deeper coverage of Prompt Injection — still ranked first — including real CVE-rated exploits, see this breakdown of LLM prompt injection attack patterns ↗ at aisec.blog.
What the 2026 Edition Is Proposing
The 2026 revision is in active community survey as of mid-2026. The OWASP project lead published preliminary findings showing three proposed new threat categories driven by the expansion of autonomous and multimodal AI systems. None of these are finalized, but the survey signals strong consensus around each.
Agent Hijacking addresses what happens when an autonomous AI agent — one with access to file systems, APIs, code execution, or external communication — is compromised by an attacker who manipulates its goal or execution path. Direct prompt injection is one vector; indirect injection through retrieved content is another. The consequence is not a leaked response but an agent taking unauthorized real-world actions. For AI security incidents where agent-level compromise is the attack vector, ai-alert.org ↗ tracks disclosed cases.
Multi-Modal Injection extends the prompt injection attack surface to images, audio, and documents. Vision-capable models that process PDFs, screenshots, or audio transcripts can receive embedded instructions that are invisible to human reviewers but parsed by the model as directives. Text-only input validation cannot detect or block this vector.
Memory Persistence Attacks target persistent conversation and agent memory features. An attacker who plants instructions in long-term memory can influence model behavior across sessions — effectively establishing a persistent backdoor in the model’s reasoning context without touching model weights or infrastructure.
The 2026 survey also surfaced proposals to consolidate System Prompt Leakage into the Prompt Injection category, and to refine Excessive Agency to distinguish between permission failures and architectural over-privilege.
The Companion Framework: OWASP Agentic Top 10
Separately from the LLM Top 10, OWASP published the Top 10 for Agentic Applications (ASI:2026) ↗, a companion framework specifically for systems where LLMs plan, delegate, and act autonomously. The two frameworks address different risk layers: the LLM Top 10 addresses model-level failures, while the Agentic Top 10 addresses system-level failures that emerge from autonomy itself.
The Agentic Top 10 covers:
- ASI01:2026 Agent Goal Hijack — manipulation of agent goals or decision paths through injection
- ASI02:2026 Tool Misuse & Exploitation — agents abusing tools through unsafe composition or recursion
- ASI03:2026 Agent Identity & Privilege Abuse — delegated authority and trust assumption failures
- ASI04:2026 Agentic Supply Chain Compromise — compromise of external agents, tools, or schemas agents dynamically import
- ASI05:2026 Unexpected Code Execution — agent-generated or agent-triggered code running without isolation
- ASI06:2026 Memory & Context Poisoning — injection into agent memory influencing future reasoning
- ASI07:2026 Insecure Inter-Agent Communication — manipulation of messages between agents, planners, and executors
- ASI08:2026 Cascading Agent Failures — small failures propagating through connected agent systems
- ASI09:2026 Human-Agent Trust Exploitation — exploiting human over-reliance through misleading explanations
- ASI10:2026 Rogue Agents — agents acting beyond intended objectives through goal drift or emergent behavior
Security teams deploying multi-agent orchestration frameworks should treat the Agentic Top 10 as the primary threat model, not an extension of the LLM Top 10.
What Defenders Should Do Now
-
Map current controls to the 2025 list. If your threat model still references 2023 categories, you are missing Vector and Embedding Weaknesses and System Prompt Leakage entirely, and you are operating on outdated severity rankings for Sensitive Information Disclosure.
-
Audit RAG pipelines against LLM08:2025. Check for cross-tenant namespace isolation, validate document ingestion pipelines for poisoning vectors, and verify that retrieval results are logged and inspectable.
-
Treat system prompts as secrets. Apply the same access controls to system prompt content that you would apply to environment variables carrying API keys. Do not log raw system prompts in application telemetry.
-
Test agentic systems against the ASI framework. Red-team agent tool access, test for goal hijack via indirect injection in retrieved content, and verify that tool use is scoped to the minimum necessary permission set.
-
Track the 2026 survey outputs. The proposed additions — Agent Hijacking, Multi-Modal Injection, Memory Persistence Attacks — are likely to become formal categories. Gap-assess your controls now rather than after publication.
The shift from 2023 to the present reflects how fast the actual attack surface has moved: from single-model chatbot exploits to multi-agent orchestration compromises where model-level and system-level failures interact. The framework has kept pace; most enterprise LLM security programs have not.
Sources
- OWASP Top 10 for Large Language Model Applications ↗ — Official OWASP project page listing all published versions from v0.1 through v2025.
- LLM Top 10 Archive — OWASP Gen AI Security Project ↗ — Complete archive of the v1.1 (2023) and v2.0 (2025) lists with per-entry detail.
- OWASP Top 10 for Agentic Applications 2026 ↗ — Full ASI:2026 entries with descriptions and rationale, maintained by the DeepTeam LLM red-teaming project in reference to the OWASP agentic framework.
- Results from the 2026 OWASP Top 10 for LLM Applications Survey ↗ — Steve Wilson (OWASP LLM project lead) publishing community survey findings on proposed 2026 additions and refinements.
Related across the network
- Tool-Call Hijacking in Agentic Systems ↗ — aiattacks.dev
- OWASP LLM Top 10 Mitigation Guide: Controls for Every Risk Category (2025 Edition) ↗ — aisecreviews.com
- How to Detect Prompt Injection Attacks: A Practical Guide ↗ — bestaisecuritytools.com
- Best LLM Vulnerability Scanners 2026: Garak, PyRIT, Promptfoo, and Mindgard Compared ↗ — bestllmscanners.com
- Prompt Injection vs. Jailbreaking: Two Conflated Attack Classes ↗ — promptinjection.report
Sources
AI Sec Weekly — in your inbox
Weekly digest of AI security news and analysis. — delivered when there's something worth your inbox.
No spam. Unsubscribe anytime.
Related
LLM Prompt Injection Attack Examples: Direct, Indirect, and Agentic Exploits
A practitioner-level breakdown of LLM prompt injection attack examples — from basic instruction overrides to CVE-rated zero-click exploits in production
AI Sec Weekly: Friday, May 22, 2026
This week's digest: SSRF through agent tool-use, the model supply-chain class and why safetensors matters, and model extraction as a business risk.
AI on the Offense: Google's Zero-Day Warning, Reasoning-Model Jailbreaks, and Government Testing
Google says it caught an attacker using an LLM to find a zero-day, peer-reviewed research shows reasoning models can autonomously jailbreak other models