cbcvebase.
CVE-2026-33626
published 2026-04-20

CVE-2026-33626: LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF)…

PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
45.25%
98.6th percentile
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
internlmlmdeploy< 0.12.30.12.3
internlmlmdeploy0 – 0.12.2

Detection & IOCsextracted from sources · hover to see the quote

ip103.116.72[.]119
domainrequestrepo[.]com
url/v1/chat/completions
url/v1/models
pathlmdeploy/vl/utils.py
commandPOST /v1/chat/completions HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"model":"internlm-xcomposer2","messages":[{"role":"user","content":[{"type":"text","text":"Describe this image"},{"type":"image_url","image_url":{"url":"http://{{interactsh-url}}"}}]}]}
otherGHSA-6w67-hwm5-92mq
  • Monitor POST requests to /v1/chat/completions where the image_url field contains internal/private IP ranges (e.g., 169.254.169.254 for AWS IMDS, 127.0.0.1, RFC-1918 ranges) or OOB DNS callback domains.
  • Detect model-switching between internlm-xcomposer2 and OpenGVLab/InternVL2-8B within the same session as a potential evasion indicator during SSRF exploitation.
  • Alert on LMDeploy /v1/models endpoint probing followed immediately by /v1/chat/completions POST with image_url — this two-step pattern is used by the Nuclei PoC template to fingerprint and exploit the service.
  • Check for the presence of 'lmdeploy' in the JSON body of /v1/models responses to identify exposed vulnerable instances, then correlate with subsequent image_url SSRF attempts.
  • The exploitation session consisted of 10 distinct requests across three phases; a burst of ~10 requests to /v1/chat/completions within an 8-minute window from a single source IP targeting internal addresses is a strong signal.
  • ·The vulnerability only affects LMDeploy instances with vision-language (VLM) support enabled; deployments without VLM support are not exposed via this attack vector.
  • ·The fix in version 0.12.3 introduces _is_safe_url() which blocks requests to non-globally-routable IP addresses; detection rules targeting the vulnerable path should be scoped to versions prior to 0.12.3.
  • ·No public proof-of-concept exploit existed at the time of the first observed in-the-wild exploitation, meaning attackers constructed working exploits directly from the advisory text (affected file, parameter name, root-cause, sample code).

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.