Full Report
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure. The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data. "A server-side
Analysis Summary
# Vulnerability: LMDeploy SSRF in Vision-Language Module
## CVE Details
- **CVE ID:** CVE-2026-33626
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-918 (Server-Side Request Forgery)
## Affected Systems
- **Products:** LMDeploy (Open-source LLM compression and deployment toolkit)
- **Versions:** All versions up to and including 0.12.0.
- **Configurations:** Systems utilizing the vision-language (VL) support module.
## Vulnerability Description
A Server-Side Request Forgery (SSRF) exists in the `load_image()` function within `lmdeploy/vl/utils.py`. The toolkit fetches images from arbitrary URLs without properly validating or restricting internal or private IP addresses. This allow an attacker to force the server to make requests to internal resources that are otherwise shielded from the internet.
## Exploitation
- **Status:** Exploited in the wild (First detected ~12.5 hours after disclosure).
- **Complexity:** Low (Can be automated via LLM-assisted exploit generation).
- **Attack Vector:** Network (Remote).
- **Note:** Attackers are using this as a generic HTTP SSRF primitive to scan internal environments.
## Impact
- **Confidentiality:** High (Access to cloud metadata/IMDS, internal databases, and sensitive credentials).
- **Integrity:** Medium (Potential for interacting with internal administrative interfaces).
- **Availability:** Low (Primary risk is data exposure and lateral movement).
## Remediation
### Patches
- Users should update LMDeploy to the latest version (as of the advisory, fixes are implemented in versions post-0.12.0). Check the official [GitHub repository](https://github[.]com/InternLM/lmdeploy) for the most recent security release.
### Workarounds
- Disable the vision-language module if not required.
- Implement strict egress filtering at the network/firewall level to prevent the model server from reaching the AWS Instance Metadata Service (169.254.169.254) or other internal addresses (RFC 1918).
## Detection
- **Indicators of Compromise (IoC):**
- Known Attacker IP: `103.116.72[.]119`
- DNS Exfiltration Domain: `requestrepo[.]com`
- **Detection Methods:**
- Monitor logs for unusual outbound requests from the LMDeploy server, specifically those targeting `127.0.0.1`, `169.254.169.254`, or internal service ports (e.g., Redis:6379, MySQL:3306).
- Audit `load_image` function calls in application logs for unexpected URL schemes or internal IP addresses.
## References
- Vendor Advisory: [https://github[.]com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq]
- Original Source: [https://thehackernews[.]com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html]
- Technical Analysis: [https://www[.]sysdig[.]com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours]