★ 8/10 · Security · 2026-04-24

LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

A high-severity Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-33626, has been identified in the LMDeploy toolkit. The flaw allows attackers to exploit the vision-language module to access...

Captured 2026-04-24 07:24

LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

Summary

A high-severity Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-33626, has been identified in the LMDeploy toolkit. The flaw allows attackers to exploit the vision-language module to access internal networks, sensitive cloud metadata, and private resources.

Key Points

  • Vulnerability ID: CVE-2026-33626 (CVSS score: 7.5).
  • Affected Versions: All LMDeploy versions 0.12.0 and prior that include vision-language support.
  • Root Cause: The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating against internal or private IP addresses.
  • Exploitation Scope: Attackers can use the vulnerability to target AWS Instance Metadata Service (IMDS), Redis, MySQL, and the loopback interface (127.0.0.1).
  • Observed Tactics: Attackers have utilized out-of-band (OOB) DNS exfiltration (e.g., to requestrepo[.]com) and rotated between different vision-language models (VLMs), such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B, to evade detection.

Technical Details

The vulnerability resides in the vision-language module of LMDeploy. Specifically, the load_image() function in lmdeploy/vl/utils.py lacks sufficient input validation when processing image URLs. Because the function does not check if the requested URL resolves to a private or internal IP address, an attacker can use the model server as an HTTP SSRF primitive to proxy requests into the server's internal environment.

In active exploitation scenarios, attackers have demonstrated the ability to perform internal port scanning and service enumeration. This includes targeting cloud-specific metadata services (IMDS) to potentially steal cloud credentials and probing internal databases like Redis and MySQL. The exploitation process has been observed using multiple phases, including testing egress via OOB DNS callbacks to confirm the ability to reach arbitrary external hosts and subsequently mapping the internal API surface.

Impact / Why It Matters

Successful exploitation can lead to the theft of cloud credentials, unauthorized access to internal-only services, and lateral movement within the network. Developers and operators of LMDeploy-based inference servers must implement strict URL allowlisting or network-level egress filtering to prevent unauthorized internal requests.

security LLM vulnerability

↳ Sources