OWASP LLM Top 10 in practice — what each risk looks like in production

The OWASP LLM Top 10 is a risk taxonomy. But taxonomies don’t stop breaches — understanding attack patterns does. Here’s what each risk actually looks like when your LLM-powered system is in production.

LLM01: Prompt Injection → CVE-2025-53773

The abstract risk: User prompts alter the LLM’s behavior in unintended ways.

What it looks like in production: A developer opens a pull request. The PR description contains hidden Unicode instructions invisible to reviewers but parsed by GitHub Copilot. Copilot generates malicious code suggestions that exfiltrate repository secrets. CVSS 9.6.

The pattern: Indirect prompt injection is the real threat — the attacker never touches the LLM directly. They poison a data source (PR description, email, webpage, document) the LLM later reads.

Defense: Content isolation — process untrusted content in a separate context from privileged instructions. Never mix system prompts with user-supplied documents in the same message.

LLM02: Insecure Output Handling → CVE-2025-68664

The abstract risk: Trusting model outputs without validation.

What it looks like in production: LangChain Core deserializes LLM response metadata (additional_kwargs, response_metadata) during streaming. An attacker uses prompt injection to make the LLM embed malicious serialized objects in these fields. LangChain deserializes them → arbitrary code execution. CVSS 9.3.

The pattern: The LLM’s output becomes code input. Any field that flows from model output to eval(), deserialize(), exec(), or template rendering is an injection vector.

Defense: Treat every model output field as untrusted. Sanitize before deserialization. Validate against expected schemas.

LLM03: Training Data Poisoning

What it looks like in production: A competitor submits thousands of subtly misleading code examples to a public fine-tuning dataset. Models trained on this data generate code with hard-to-spot logic errors — off-by-one bugs, incorrect crypto parameters, wrong timeout values.

Defense: Audit training data provenance. Use reproducible training pipelines. Monitor model behavior for regression after data updates.

LLM04: Model Denial of Service

What it looks like in production: An attacker sends prompts designed to maximize token consumption — deeply nested reasoning chains, requests to “explain every step in detail,” or adversarial inputs that cause the model to loop. Your API costs spike 100x in an hour.

Defense: Set hard per-request token limits. Rate-limit by user. Monitor cost anomalies in real-time.

LLM05: Supply Chain Vulnerabilities

What it looks like in production: Your agentic system uses 5 MCP servers. One of them — a community-built integration for reading Google Sheets — is compromised. The attacker pushes a new version that exfiltrates any data the agent reads through the server.

This is the emerging risk for 2026. As agents compose more tools via MCP, the supply chain attack surface grows exponentially.

Defense: Pin MCP server versions. Audit third-party tool code. Use least-privilege — don’t give a spreadsheet reader shell access.

LLM06: Sensitive Information Disclosure

What it looks like in production: Your customer support agent has access to the full CRM database via tool calls. A customer asks: “What did the previous customer complain about?” The agent, trained to be helpful, queries the CRM and leaks another customer’s data.

Defense: Implement per-user data boundaries at the tool level, not in the prompt. The model will eventually hallucinate past prompt guardrails.

LLM07: Insecure Plugin Design

What it looks like in production: Your agent has a “send email” tool that accepts to, subject, and body parameters. No validation on the to field. A prompt injection convinces the agent to email sensitive data to an external address.

Defense: Validate tool inputs against allowlists. The email tool should only send to addresses the user explicitly authorized.

LLM08: Excessive Agency

What it looks like in production: Your coding agent has Bash, Read, Write, Edit, and WebSearch tools. It needs Read and Edit for its task. But because it also has Bash, a prompt injection can escalate to full shell access — rm -rf, curl to external servers, credential theft.

Defense: Least privilege. An agent that edits code doesn’t need Bash. An agent that searches the web doesn’t need Write. Every tool is an attack surface.

The bottom line

The OWASP LLM Top 10 is useful as a checklist. But the real risks in 2026 are at the intersection of these categories — prompt injection (LLM01) that leads to insecure output handling (LLM02) via an overly-privileged agent (LLM08) using a compromised supply chain tool (LLM05). Defense-in-depth is the only viable strategy.