The 2021 list reorganised the map but didn't capture everything the field is seeing in 2026. Broken Access Control (A01) dominates - it appears in over 60% of our web app engagements. SSRF moved from obscure to headline-critical as cloud-native architectures proliferated. Injection narrowed from SQL dominance to a multi-class problem including SSTI and prompt injection. Insecure Design (A04) is the most underappreciated category for SaaS companies. Here's the full picture.
// 01 Why the 2021 → 2026 delta matters
OWASP refreshes the Top 10 on a roughly four-year cadence, using a combination of CVE data, community survey responses, and contributed application security data. The 2021 edition was a significant overhaul - three new categories appeared, two were merged, and the overall framing shifted from "common vulnerability patterns" to "risk categories." The anticipated 2026 update carries that evolution further.
But the official list and what practitioners actually find in engagements are two different things. The list is backward-looking by design - it reflects the collective disclosure record of the last four years. Real engagements reflect the current production environment: modern SaaS architectures, cloud-native deployments, GraphQL APIs, AI-augmented applications, and the specific way developers use today's frameworks.
// 02 A01 - Broken Access Control: still #1, and widening
In 2017 the category was Broken Access Control - in 2021 it moved from #5 to #1. In 2026 engagements it hasn't budged. Every architecture that adds abstraction layers adds access-control surfaces: microservices, tenant isolation boundaries, RBAC permission trees, data-room sharing, admin impersonation flows. Developers secure the happy path; pen testers find the edges.
What we're finding in 2026
The dominant pattern in our current engagement data is BOLA (Broken Object-Level Authorization) - or IDOR as it was classically called. Modern SaaS platforms generate resource identifiers (UUIDs, slugs, numeric IDs) and expose them in URLs, API payloads and WebSocket messages. The authorisation check is supposed to verify that the caller owns the object. In roughly half of the applications we test, that check is absent, inconsistent across endpoints, or bypassable through HTTP method switching.
HTTP# Typical BOLA pattern - A01 finding
GET /api/v2/reports/3847 HTTP/1.1
Authorization: Bearer <tenant-A-token>
HTTP/1.1 200 OK
# Returns tenant-B report - no tenant check on object retrieval
{ "report_id": 3847, "tenant": "acme-corp", "data": {...} }
# Fix: bind object lookup to authenticated tenant context
# SELECT * FROM reports WHERE id = ? AND tenant_id = current_tenant()
The second pattern is vertical privilege escalation through mass assignment. Modern ORMs and serialisation libraries bind request payloads directly to model objects. When a developer forgets the allowlist, a low-privilege user can submit fields like role, is_admin, or billing_owner and elevate themselves in a single PATCH request. We find this in roughly one in four SaaS applications, usually on profile-update or onboarding endpoints.
The attack surface grew. Multi-tenant SaaS, GraphQL APIs, microservice meshes and real-time WebSocket channels all introduced new authorisation surfaces that didn't exist at scale in 2021. The vulnerability class is identical; the number of places to test it doubled.
// 03 A02 & A03 - Cryptographic Failures and Injection: both evolved
Cryptographic Failures (A02)
In 2021 this category replaced "Sensitive Data Exposure" - a deliberate shift from "data was exposed" to "the cryptographic mechanism failed." In 2026 engagements, the most common finding in this category is JWT algorithm confusion. An application that accepts both RS256 (asymmetric) and HS256 (symmetric) tokens with the same key store can be attacked by re-signing an admin claim using the public RSA key as the HMAC secret. Libraries that were vulnerable to this in 2021 are still deployed in production.
The second-most-common cryptographic finding is weak token entropy - password reset tokens, email verification links, and API keys generated with insufficient randomness. We still find MD5 and SHA-1 in password hashing pipelines in legacy services, and TLS 1.0/1.1 on internal APIs that were never exposed to the internet hardening checklist.
Injection (A03)
SQL injection dominated A03 from 2013 to 2021. ORMs and parameterised queries have driven it down significantly in modern codebases - but injection as a class has diversified. In our 2026 engagement data, Server-Side Template Injection (SSTI) is now more commonly found than classic SQL injection in modern stacks. Applications using Jinja2, Twig, Nunjucks, Liquid, or Pebble with user-controlled template strings are trivially exploitable for remote code execution.
HTTP# SSTI probe - Jinja2 / Flask endpoint accepting template variables
POST /api/emails/preview
Content-Type: application/json
{ "subject": "Hello {{7*7}}", "template_id": "welcome" }
# Vulnerable response - template was evaluated server-side
{ "preview": "Hello 49", "subject": "Hello 49" }
# Escalation - code execution
{ "subject": "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}" }
The third injection frontier in 2026 is prompt injection in AI-augmented applications. Applications that accept user input and pass it into LLM prompts without sanitisation can be manipulated to override system instructions, exfiltrate context, or produce adversarial outputs. OWASP's LLM Top 10 addresses this, but classic App Top 10 auditors are starting to include prompt injection test cases in standard engagements.
// 04 A04 - Insecure Design: the most underappreciated category
Insecure Design was introduced in 2021 as a new category distinct from implementation bugs - it covers threat modelling gaps, missing business-logic controls, and architectural decisions that make a system insecure by construction regardless of how carefully the code is written. It's the hardest category to "fix" because the fix often requires architectural change, not a code patch.
In practice, the most common Insecure Design findings we report are race conditions in transactional flows. A payment or inventory system that doesn't hold row-level locks during concurrent operations can be exploited to stack discounts, over-claim free-tier limits, or execute transfers that exceed balance. No scanner can find this - it requires understanding the business invariant and crafting a concurrent attack.
"Insecure Design is the category that keeps us employed five years from now. You can patch an injection vulnerability in an afternoon. You can't patch a payment architecture that was never designed to handle concurrent writes."
CyberFortify offensive security team// 05 A05-A10: what moved, what faded, what's new
Security Misconfiguration
Still broad, but the dominant finding shifted from exposed admin panels and default credentials to cloud IAM misconfigurations - overprivileged Lambda execution roles, public S3 buckets with no bucket policy, and API Gateway endpoints missing authorisers. In 2026, cloud misconfiguration is the leading entry point in our external network assessments.
Vulnerable Components
Software composition analysis (SCA) tooling has improved substantially - most mature pipelines have dependency scanning. But transitive dependencies remain a blind spot. The 2021 Log4Shell incident demonstrated this at scale. In 2026, the risk migrated to ML/AI libraries: transformers, langchain, and model-serving frameworks introduce supply-chain exposure that SCA tools don't yet fully model.
Identification & Auth Failures
Password flows are better guarded now - bcrypt/Argon2 adoption is mainstream. The live finding in this category is OAuth2 and OIDC misconfiguration: open redirect in the redirect_uri parameter, PKCE not enforced, state parameter not validated, and implicit grant still enabled. Social login integrations introduced in the last two years are disproportionately likely to have these issues.
Software & Data Integrity Failures
This category consolidates insecure deserialisation and CI/CD pipeline integrity. The insecure deserialisation finding count dropped significantly as Java / PHP frameworks updated their serialisation libraries. What replaced it: unsigned GitHub Actions workflows, third-party CDN script inclusion without SRI, and auto-update mechanisms that don't verify signatures. Supply-chain attacks are the 2026 expression of this category.
Security Logging & Monitoring Failures
This is the category that most directly enables defenders. In 2026, the finding we report most is the absence of structured audit logging for sensitive operations - admin privilege grants, cross-tenant data access, payment flow mutations. Without this, a breach can persist for months. We include logging coverage in every deliverable because detection maturity directly affects the blast radius of vulnerabilities we find in the same engagement.
Server-Side Request Forgery
SSRF was added in 2021 - it was the highest-scoring category by community survey despite relatively low incidence. The survey was right: SSRF in cloud environments is a critical finding because the path from SSRF entry point to full tenant compromise via the AWS IMDS credential theft chain is reliable and devastating. We now treat SSRF as critical-by-default in cloud-deployed applications.
// 06 What the list still doesn't capture in 2026
The OWASP Top 10 is a risk awareness document, not an exhaustive test plan. There are vulnerability classes that appear frequently in our engagement data that don't map cleanly to any single category - and that list is growing as application architectures evolve.
GraphQL-specific attack surface
Introspection abuse, batching attacks, alias-based rate-limit bypass, and object-level authorisation across nested resolvers are GraphQL-specific findings that don't fit neatly into A01 or A03. Any application exposing a GraphQL endpoint needs a dedicated test plan beyond OWASP mapping.
Multi-tenancy boundary failures
The 2021 OWASP list has no category specifically for tenant isolation failures. Cross-tenant data access is arguably the highest-impact finding in modern SaaS - a single BOLA vulnerability in a shared data layer can expose every tenant's data. This falls under A01, but the specific attack surface - shared databases, shared queues, shared caches - deserves explicit test coverage.
Business logic abuse
Race conditions, coupon stacking, refund chaining, inventory manipulation and referral abuse all live under A04 (Insecure Design), but the testing methodology is completely different from any other category. You need to understand the application's business rules before you can test whether they're enforced. No automated tool can do this. 38% of critical findings we report are business-logic flaws - none of them map cleanly to a single OWASP category.
// 07 How to update your test plan for 2026
If your test scope is currently "OWASP Top 10 coverage," the following additions will meaningfully close the gaps between the list and what a 2026 attacker will actually exploit.
Tenant isolation test cases
Explicitly test cross-tenant data access on every API endpoint that returns resource objects. This is not default behaviour in most test plans derived purely from OWASP categories.
SSRF in cloud metadata
Any endpoint that accepts a URL parameter - webhooks, integrations, file imports, avatars - must be tested for SSRF reaching cloud metadata services. Treat it as critical-by-default in AWS/Azure/GCP deployments.
Race condition testing on transactional flows
Use Burp Intruder or Turbo Intruder to send parallel requests to payment, inventory, and coupon endpoints. Map all invariants first, then attack them concurrently.
JWT and OAuth2 protocol testing
Test alg:none, RS256→HS256 confusion, PKCE enforcement, redirect_uri validation, and token scope escalation. These don't appear as explicit test cases in most OWASP-derived checklists.
SSTI for template-heavy endpoints
Any endpoint that accepts user input that influences output format - email templates, PDF generators, notification bodies, report builders - is a candidate for SSTI. Probe with mathematical expressions before escalating.
Prompt injection for AI features
For applications with LLM-powered features - search, summarisation, chat, code generation - test whether user input can override system prompts, exfiltrate the prompt context, or elicit policy-violating outputs.
// 08 Mapping the 2026 findings to compliance requirements
Every finding CyberFortify reports is mapped to OWASP category, CWE, CVSS v3.1, and the relevant compliance control. For organisations using pen test results as audit evidence, the table below shows the most common 2026 findings and their compliance touchpoints.
| Finding | OWASP | SOC 2 | ISO 27001 | PCI DSS v4 |
|---|---|---|---|---|
| BOLA / IDOR | A01 | CC6.1 | A.8.3 | Req 7 |
| SSRF → IMDS | A10 | CC6.6 | A.8.20 | Req 6.2 |
| JWT alg confusion | A02 | CC6.1 | A.8.24 | Req 8.6 |
| SSTI / RCE | A03 | CC7.1 | A.8.29 | Req 6.3 |
| Mass assignment | A01 | CC6.3 | A.8.3 | Req 7.2 |
| Race condition | A04 | CC6.1 | A.8.29 | Req 6.2 |
| Verbose error leakage | A05 | CC7.2 | A.8.9 | Req 6.3 |
| Missing audit logging | A09 | CC7.2 | A.8.15 | Req 10 |
// 09 The bottom line
The OWASP Top 10 is essential reading - but treating it as a test checklist rather than a risk map leads to incomplete engagements. The 2021 list correctly elevated Broken Access Control and added SSRF; the 2026 revision will reflect the rise of insecure design in cloud-native systems and the new injection surfaces that AI-augmented applications introduce.
What doesn't change: the gap between what automated tools find and what a skilled manual tester finds. Scanners can surface misconfiguration and known CVEs. They cannot model tenant isolation boundaries, abuse business logic, chain SSRF into credential theft, or find the JWT confusion that requires understanding the identity architecture. That gap is why manual pen testing remains the most valuable security investment a modern SaaS company can make - and why the OWASP Top 10 is a starting point, not an endpoint.
Web Application Pentest Checklist - 2026 Edition
156 test cases covering all OWASP categories plus tenant isolation, race conditions, JWT/OAuth2 protocols, GraphQL and AI prompt injection. Updated for 2026 architectures.
Get the checklist →