OWASP Top 10 for Agentic Applications

Agent goal hijack occurs when an attacker manipulates an agent's objectives, task selection, or decision pathways through techniques like prompt injection, deceptive tool outputs, forged agent messages, or poisoned external data. Because agents cannot reliably distinguish legitimate instructions from attacker-controlled content, manipulated inputs can redirect the agent's goals and multi-step behavior toward unintended or harmful outcomes.

Tool misuse and exploitation occurs when an agent operates within its authorized privileges but applies a legitimate tool in an unsafe or unintended way, such as deleting valuable data, over-invoking costly APIs, or exfiltrating information. These risks arise from how the agent selects and chains tools, and can be triggered by prompt injection, misalignment, unsafe delegation, or ambiguous instructions.

Identity and privilege abuse exploits the dynamic trust and delegation in agentic systems to escalate access and bypass controls by manipulating delegation chains, role inheritance, and cached credentials or context. Without a distinct, governed identity of its own, an agent operates in an attribution gap that makes enforcing true least privilege difficult and allows inherited credentials or agent-to-agent trust to be abused.

Agentic supply chain vulnerabilities arise when the agents, tools, models, datasets, and interfaces an agent depends on are malicious, compromised, or tampered with, introducing unsafe code, hidden instructions, or deceptive behavior into its execution chain. Unlike traditional software supply chains, agentic ecosystems compose capabilities dynamically at runtime, shifting the focus from static dependency manifests to runtime security of opaque, dynamically loaded components.

Unexpected code execution occurs when attackers exploit an agent's code-generation features or embedded tool access to run unintended or adversarial code, leading to host or container compromise, persistence, or sandbox escape. Because agents often generate and execute code in real time, prompt injection, unsafe deserialization, or chained tool calls can convert text into executable behavior that bypasses traditional security controls.

Memory and context poisoning occurs when adversaries corrupt or seed an agent's stored and retrievable information, such as conversation history, summaries, embeddings, or RAG stores, with malicious or misleading data. This persistent corruption propagates across sessions and reasoning cycles, causing future planning, decisions, and tool use to become biased or unsafe.

Insecure inter-agent communication occurs when the exchanges between coordinating agents lack proper authentication, integrity, confidentiality, or semantic validation, allowing attackers to intercept, spoof, manipulate, or replay messages. Because multi-agent systems are decentralized and carry uneven trust, these weaknesses span transport, routing, discovery, and semantic layers, leading to misinformation, privilege confusion, or coordinated manipulation.

Cascading failures occur when a single fault, such as a hallucination, poisoned memory, or corrupted tool, propagates across autonomous agents and compounds into system-wide harm. Because agents plan, persist, and delegate autonomously, an initial error can bypass stepwise human checks, persist in saved state, and chain through interconnected agents and workflows faster than humans can intervene.

Human-agent trust exploitation occurs when adversaries or misaligned designs leverage the trust users place in an agent's fluency, perceived expertise, and anthropomorphic cues to influence decisions, extract sensitive information, or steer harmful actions. Over-reliance on confident or authoritative recommendations, combined with automation and authority bias, leads users to approve actions without independent validation, making the agent's role in a compromise hard to trace.

Rogue agents are malicious or compromised agents that deviate from their intended function or authorized scope, acting harmfully, deceptively, or parasitically within an agentic ecosystem. Because each individual action may appear legitimate while the emergent behavior becomes harmful, this loss of behavioral integrity creates a containment gap for traditional rule-based controls and can act like an insider threat operating at machine speed.