LMDeploy CVE-2026-33626: SSRF in Vision-Language Module Exploited Within 13 Hours

What is it?

CVE-2026-33626 is a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy (7.8k GitHub stars), Shanghai AI Lab's toolkit for compressing and serving LLMs and vision-language models including DeepSeek, Qwen, InternLM, and Llama. The flaw is in load_image() in lmdeploy/vl/utils.py, which fetches arbitrary image URLs without validating internal or private IP ranges. Disclosed via GitHub advisory on April 18, 2026 and patched in version 0.12.3.

How does it work?

An attacker posts a chat completions request with a malicious image_url pointing to the AWS instance metadata service (169.254.169.254) or any internal host. LMDeploy fetches the URL server-side without checking for RFC1918 or link-local ranges, returning IAM credentials or internal service responses to the attacker. Sysdig's honeypot captured an attacker who used the SSRF as a generic HTTP primitive to port-scan AWS IMDS, Redis, MySQL, and an admin interface — all in an 8-minute session starting 12 hours and 31 minutes after the advisory was published.

Why does it matter?

Any LMDeploy deployment with vision-language support on version 0.12.0 or earlier is exposed on any port, regardless of authentication. The 12.5-hour exploitation window confirms attackers are actively scanning AI inference infrastructure for freshly disclosed CVEs. Upgrade to 0.12.3 and restrict egress from inference servers to link-local and private IP ranges.

Who is it for?

Teams running LMDeploy in production; AI infrastructure and MLOps engineers

Try it

pip install 'lmdeploy>=0.12.3'

Tags

• lmdeploy
• ssrf
• cve
• llm-security
• ai-infrastructure
• vision-language
• cloud-security
• intern-lm
• open-weights