🧠

OWASP Top 10 for LLM Applications v1.1

OWASP's specialised Top 10 for Large Language Model applications. The de-facto checklist for any product team shipping LLM-backed features. Maps to EU AI Act Article 15 cybersecurity requirements + MITRE ATLAS adversarial techniques + NIST AI-RMF MEASURE controls. Updated quarterly by the OWASP GenAI Project working group.

4 critical6 high2 medium

LLM01OWASP-LLM-001critical

Prompt Injection

Crafted inputs cause the LLM to disregard system prompts or perform unintended actions. Direct injection: in user input. Indirect injection: in content the LLM retrieves (web pages, documents, emails).

→

LLM02OWASP-LLM-002critical

Sensitive Information Disclosure

LLM inadvertently discloses sensitive information: PII memorised from training data, business secrets in system prompts, customer data accumulated in conversation history.

→

LLM03OWASP-LLM-003critical

Supply Chain Vulnerabilities

Compromised models, datasets, libraries, or pre-trained components introduce risk into LLM applications.

→

LLM04OWASP-LLM-004critical

Data and Model Poisoning

Adversary alters training, fine-tuning, or embedding data to compromise model behaviour.

→

LLM05OWASP-LLM-005high

Improper Output Handling

LLM output passed to downstream systems (SQL, shell, file system, web browser) without sanitisation. The 'LLM output is untrusted' principle.

→

LLM06OWASP-LLM-006high

Excessive Agency

Granting LLM-powered agents excessive permissions, autonomy, or access to backend systems beyond what's necessary for the task.

→

LLM07OWASP-LLM-007medium

System Prompt Leakage

System prompts containing sensitive info (business logic, secrets, authorization rules) exposed through model output, jailbreaks, or prompt-injection.

→

LLM08OWASP-LLM-008high

Vector and Embedding Weaknesses

Vulnerabilities in vector DBs (Milvus, Weaviate, Qdrant, Pinecone, Chroma) and RAG embeddings: injection via indexed content, cross-tenant leakage, unauthenticated access.

→

LLM09OWASP-LLM-009medium

Misinformation

Reliance on LLM-generated misinformation, hallucinations, or fabricated citations. Particularly impactful in legal, medical, financial, and journalistic contexts.

→

LLM10OWASP-LLM-010high

Unbounded Consumption

Adversarial high-cost queries drain budget, exhaust capacity, or deny service. LLM inference is expensive; unbounded queries enable economic attacks.

→

LLM-VECTOR-AUTHOWASP-LLM-VEC-001high

Vector Database Authentication and Network Isolation

Vector DB requires authentication for all access; network isolation prevents internet exposure.

→

LLM-AGENT-AUDITOWASP-LLM-AGT-001high

Agent Tool Invocation Logging

Every LLM agent tool invocation logged with input, output, authorisation context, and timing. Forensic trail for agent behaviour.

→