CVE-2026-33626
published 2026-04-20CVE-2026-33626: LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF)…
PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.25%
98.6th percentile
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| internlm | lmdeploy | < 0.12.3 | 0.12.3 |
| internlm | lmdeploy | 0 – 0.12.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /v1/chat/completions HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"model":"internlm-xcomposer2","messages":[{"role":"user","content":[{"type":"text","text":"Describe this image"},{"type":"image_url","image_url":{"url":"http://{{interactsh-url}}"}}]}]}
- →Monitor POST requests to /v1/chat/completions where the image_url field contains internal/private IP ranges (e.g., 169.254.169.254 for AWS IMDS, 127.0.0.1, RFC-1918 ranges) or OOB DNS callback domains. ↗
- →Detect model-switching between internlm-xcomposer2 and OpenGVLab/InternVL2-8B within the same session as a potential evasion indicator during SSRF exploitation. ↗
- →Alert on LMDeploy /v1/models endpoint probing followed immediately by /v1/chat/completions POST with image_url — this two-step pattern is used by the Nuclei PoC template to fingerprint and exploit the service.
- →Check for the presence of 'lmdeploy' in the JSON body of /v1/models responses to identify exposed vulnerable instances, then correlate with subsequent image_url SSRF attempts.
- →The exploitation session consisted of 10 distinct requests across three phases; a burst of ~10 requests to /v1/chat/completions within an 8-minute window from a single source IP targeting internal addresses is a strong signal. ↗
- ·The vulnerability only affects LMDeploy instances with vision-language (VLM) support enabled; deployments without VLM support are not exposed via this attack vector. ↗
- ·The fix in version 0.12.3 introduces _is_safe_url() which blocks requests to non-globally-routable IP addresses; detection rules targeting the vulnerable path should be scoped to versions prior to 0.12.3.
- ·No public proof-of-concept exploit existed at the time of the first observed in-the-wild exploitation, meaning attackers constructed working exploits directly from the advisory text (affected file, parameter name, root-cause, sample code). ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
ghsa·2026-04-21
CVE-2026-33626 [HIGH] CWE-918 LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
## Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources.
## Affected Versions
- **Tested on:** main branch (2026-02-04)
- **Affected:** All versions prior to 0.12.3
## Vulnerable Code
**File:** `lmdeploy/vl/utils.py` (lines 64-67)
```python
def load_image(image_url: Union[str, Image.Image]) -> Image.Image:
# ...
if image_url.startswith('http'):
response = requests.get(image_url, headers=headers, timeout=FETCH_TIMEOUT)
# NO VALIDATION
VulnCheck
internlm lmdeploy Server-Side Request Forgery (SSRF)
vulncheck·2026·CVSS 7.5
CVE-2026-33626 [HIGH] internlm lmdeploy Server-Side Request Forgery (SSRF)
internlm lmdeploy Server-Side Request Forgery (SSRF)
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
Affected: internlm lmdeploy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://webflow.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-
No detection rules found.
Nuclei
LMDeploy - Server-Side Request Forgery
nuclei·CVSS 7.5
CVE-2026-33626 [HIGH] LMDeploy - Server-Side Request Forgery
LMDeploy - Server-Side Request Forgery
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in the vision-language module. The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal or private IP addresses, allowing unauthenticated attackers to access cloud metadata services, internal networks, and sensitive resources via the image_url parameter in /v1/chat/completions requests.
Template:
id: CVE-2026-33626
info:
name: LMDeploy - Server-Side Request Forgery
author: theamanrawat
severity: high
description: |
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side
Checkpoint
AI Threat Landscape Digest March-April 2026
blogs_checkpoint·2026-05-26
CVE-2026-34197 AI Threat Landscape Digest March-April 2026
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 3
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 457
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 409
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 175
Web 3.0 Security 11
Wipers 0
## AI Threat Landscape Digest March-April 2026
## Executive Summary
During the March–April 2026 reporting period, AI use in offensive operations advanced from development and planning to re
Hackernews
⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
blogs_hackernews·2026-04-27
CVE-2025-20333 ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & More
Everything is dumb again. This week feels broken in a very familiar way. Old tricks are back. New tools are doing shady crap. Supply chains got hit. Fake help desks worked. Weird research showed how easy some attacks still are.
Most of it feels like stuff we should have fixed years ago. Bad extensions. Stolen creds. Remote tools are getting abused. Malware hides in places people trust. Same mess, cleaner packaging.
Coffee is cold. The vuln list is ugly. Let’s get into it.
## ⚡ Threat of the Week
New fast16 Malware Was Developed Y
Checkpoint
27th April – Threat Intelligence Report
blogs_checkpoint·2026-04-27
CVE-2025-55182 27th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 27th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 27th April, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Vercel, a frontend cloud platform, has disclosed a security incident linked to a compromise at Context.ai, where stolen OAuth tokens enabled unauthorized access through a connected app. The company reported access to employee information, internal logs, and a subset of environment variables, while stating that the most sensiti
Hackernews
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
blogs_hackernews·2026-04-24·CVSS 7.5
CVE-2026-33626 [HIGH] LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
A high-severity security flaw in LMDeploy , an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure.
The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data.
"A server-side request forgery (SSRF) vulnerability exists in LMDeploy's vision-language module," according to an advisory published by the project maintainers last week. "The lo
https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626https://github.com/InternLM/lmdeploy/pull/4447https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mqhttps://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq
2026-04-20
Published
Exploited in the wild