AI Sec Weekly
Isometric framework board showing dropped, new, and proposed OWASP LLM Top 10 categories for 2026
LLM Security

OWASP LLM Top 10 2026 Changes: What's New, What's Gone, and What's Coming

A practitioner breakdown of the OWASP LLM Top 10 2026 changes — two new threat categories dropped, three proposed additions for 2026, and a companion

By Aisecweekly Editorial · · 7 min read

The OWASP LLM Top 10 2026 changes are arriving in two waves: a published v2.0 update released in 2025 that retired two 2023 categories and added two new ones, and an in-progress 2026 edition now in community survey that proposes three additional threat categories driven by agentic deployments. A separate companion framework — the OWASP Top 10 for Agentic Applications — published independently and addresses the risk layer that emerges when LLMs control tools, memory, and multi-step execution.

This post tracks each confirmed change, what drove it, and what defenders should do differently as a result.

From v1.1 to v2.0: Confirmed Changes in the 2025 Edition

The original OWASP LLM Top 10 v1.1 (2023) reflected an era when LLMs were primarily deployed as chatbots or single-turn API endpoints. The v2.0 edition, published in 2025, redrew the list to reflect two years of real-world exploitation and the rise of RAG pipelines, multi-model orchestration, and production agentic systems.

Two Categories Removed

Insecure Plugin Design (LLM07:2023) and Model Theft (LLM10:2023) were retired. Plugin design risks were not eliminated — they were absorbed. Supply chain (LLM03:2025) now covers third-party plugin and extension integrity, while Excessive Agency (LLM06:2025) covers unconstrained plugin execution. Model theft — unauthorized extraction of proprietary weights — was merged into supply chain concerns, reflecting that model exfiltration typically exploits API access rather than a distinct vulnerability class.

Two Categories Added

System Prompt Leakage (LLM07:2025) is new. Attackers can extract the system prompt through direct elicitation, jailbreak sequences, or by exploiting verbose error output that reflects prompt content. In agentic deployments the system prompt often encodes tool access policies, persona definitions, and backend credential hints — leakage is a lateral movement enabler, not just an embarrassment.

Vector and Embedding Weaknesses (LLM08:2025) is also new, added specifically for RAG architectures. Attackers who can influence the vector store — through poisoned documents, embedding manipulation, or cross-tenant namespace confusion — can redirect retrieval to surface malicious content without touching model weights. As RAG has moved from prototype to standard production pattern, the attack surface has materialized.

Major Reshuffling

Sensitive Information Disclosure moved from sixth to second. The 2025 working group found real-world incidents — including LLMs surfacing PII from training data, returning credentials embedded in context windows, and leaking data across multi-tenant deployments — more prevalent than the original ranking acknowledged.

Training Data Poisoning was renamed Data and Model Poisoning (LLM04:2025) and expanded to cover fine-tuning poisoning and embedding poisoning, not just pretraining data attacks. Model Denial of Service became Unbounded Consumption (LLM10:2025), broadening the category to include cost exhaustion and resource amplification attacks — reflecting that “availability” failures in LLM APIs are as likely to show up as runaway API spend as they are as classic denial-of-service.

The full 2025 list:

RankEntry
LLM01:2025Prompt Injection
LLM02:2025Sensitive Information Disclosure
LLM03:2025Supply Chain
LLM04:2025Data and Model Poisoning
LLM05:2025Improper Output Handling
LLM06:2025Excessive Agency
LLM07:2025System Prompt Leakage
LLM08:2025Vector and Embedding Weaknesses
LLM09:2025Misinformation
LLM10:2025Unbounded Consumption

For deeper coverage of Prompt Injection — still ranked first — including real CVE-rated exploits, see this breakdown of LLM prompt injection attack patterns at aisec.blog.

What the 2026 Edition Is Proposing

The 2026 revision is in active community survey as of mid-2026. The OWASP project lead published preliminary findings showing three proposed new threat categories driven by the expansion of autonomous and multimodal AI systems. None of these are finalized, but the survey signals strong consensus around each.

Agent Hijacking addresses what happens when an autonomous AI agent — one with access to file systems, APIs, code execution, or external communication — is compromised by an attacker who manipulates its goal or execution path. Direct prompt injection is one vector; indirect injection through retrieved content is another. The consequence is not a leaked response but an agent taking unauthorized real-world actions. For AI security incidents where agent-level compromise is the attack vector, ai-alert.org tracks disclosed cases.

Multi-Modal Injection extends the prompt injection attack surface to images, audio, and documents. Vision-capable models that process PDFs, screenshots, or audio transcripts can receive embedded instructions that are invisible to human reviewers but parsed by the model as directives. Text-only input validation cannot detect or block this vector.

Memory Persistence Attacks target persistent conversation and agent memory features. An attacker who plants instructions in long-term memory can influence model behavior across sessions — effectively establishing a persistent backdoor in the model’s reasoning context without touching model weights or infrastructure.

The 2026 survey also surfaced proposals to consolidate System Prompt Leakage into the Prompt Injection category, and to refine Excessive Agency to distinguish between permission failures and architectural over-privilege.

The Companion Framework: OWASP Agentic Top 10

Separately from the LLM Top 10, OWASP published the Top 10 for Agentic Applications (ASI:2026), a companion framework specifically for systems where LLMs plan, delegate, and act autonomously. The two frameworks address different risk layers: the LLM Top 10 addresses model-level failures, while the Agentic Top 10 addresses system-level failures that emerge from autonomy itself.

The Agentic Top 10 covers:

  • ASI01:2026 Agent Goal Hijack — manipulation of agent goals or decision paths through injection
  • ASI02:2026 Tool Misuse & Exploitation — agents abusing tools through unsafe composition or recursion
  • ASI03:2026 Agent Identity & Privilege Abuse — delegated authority and trust assumption failures
  • ASI04:2026 Agentic Supply Chain Compromise — compromise of external agents, tools, or schemas agents dynamically import
  • ASI05:2026 Unexpected Code Execution — agent-generated or agent-triggered code running without isolation
  • ASI06:2026 Memory & Context Poisoning — injection into agent memory influencing future reasoning
  • ASI07:2026 Insecure Inter-Agent Communication — manipulation of messages between agents, planners, and executors
  • ASI08:2026 Cascading Agent Failures — small failures propagating through connected agent systems
  • ASI09:2026 Human-Agent Trust Exploitation — exploiting human over-reliance through misleading explanations
  • ASI10:2026 Rogue Agents — agents acting beyond intended objectives through goal drift or emergent behavior

Security teams deploying multi-agent orchestration frameworks should treat the Agentic Top 10 as the primary threat model, not an extension of the LLM Top 10.

What Defenders Should Do Now

  1. Map current controls to the 2025 list. If your threat model still references 2023 categories, you are missing Vector and Embedding Weaknesses and System Prompt Leakage entirely, and you are operating on outdated severity rankings for Sensitive Information Disclosure.

  2. Audit RAG pipelines against LLM08:2025. Check for cross-tenant namespace isolation, validate document ingestion pipelines for poisoning vectors, and verify that retrieval results are logged and inspectable.

  3. Treat system prompts as secrets. Apply the same access controls to system prompt content that you would apply to environment variables carrying API keys. Do not log raw system prompts in application telemetry.

  4. Test agentic systems against the ASI framework. Red-team agent tool access, test for goal hijack via indirect injection in retrieved content, and verify that tool use is scoped to the minimum necessary permission set.

  5. Track the 2026 survey outputs. The proposed additions — Agent Hijacking, Multi-Modal Injection, Memory Persistence Attacks — are likely to become formal categories. Gap-assess your controls now rather than after publication.

The shift from 2023 to the present reflects how fast the actual attack surface has moved: from single-model chatbot exploits to multi-agent orchestration compromises where model-level and system-level failures interact. The framework has kept pace; most enterprise LLM security programs have not.


Sources

Sources

  1. OWASP Top 10 for Large Language Model Applications — OWASP Foundation
  2. LLM Top 10 Archive — OWASP Gen AI Security Project
  3. OWASP Top 10 for Agentic Applications 2026 — DeepTeam
  4. Results from the 2026 OWASP Top 10 for LLM Applications Survey — Steve Wilson, LinkedIn
Subscribe

AI Sec Weekly — in your inbox

Weekly digest of AI security news and analysis. — delivered when there's something worth your inbox.

No spam. Unsubscribe anytime.

Related

Comments