A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy’s vision-language module was exploited in active attacks just 12 hours and 31 minutes after its public disclosure, with no proof-of-concept code required.

On April 21, 2026, GitHub published security advisory GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, a high-severity SSRF flaw (CVSS 7.5) in LMDeploy, an open-source toolkit developed by Shanghai AI Laboratory (InternLM) for serving vision-language and text large language models (LLMs).

The root cause lies in the load_image() function in lmdeploy/vl/utils.py, which fetches image URLs from API requests without validating whether they point to internal or private network addresses.

This means any attacker who can send a chat completion request can force the server to fetch arbitrary internal URLs, including cloud metadata services and local databases, and return their contents.

According to the Sysdig Threat Research Team (TRT), which deployed a honeypot running a vulnerable LMDeploy instance shortly after the advisory went live, the first exploitation attempt was observed at 03:35 UTC on April 22, 2026, originating from IP address 103.116.72.119 (attributed to Prime Security Corp., Kowloon Bay, HK).

No public proof-of-concept (PoC) existed at the time; the advisory text alone, which named the affected file, the vulnerable parameter, and the missing validation logic, was sufficient for the attacker to construct a working exploit.

The attacker executed 10 distinct requests across three phases within a single eight-minute session:

CVE-2026-33626 highlights a dangerous pattern: AI inference servers like LMDeploy typically run on GPU cloud instances with broad IAM roles, granting access to S3 model artifacts, training datasets, and sometimes cross-account privileges.

Despite LMDeploy having nearly 7,800 GitHub stars, it does not appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog, illustrating how niche AI-infrastructure tools evade standard enterprise scanning workflows.

Upgrade to LMDeploy v0.12.3 or later, which introduces a _is_safe_url() check that blocks requests to private IP ranges and link-local addresses. Organizations should also:

Follow us on Google News , LinkedIn , and X to Get Instant Updates and Set GBH as a Preferred Source in Google .

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

GitLab has released emergency security patches addressing 11 vulnerabilities across its Community Edition (CE) and Enterprise…

The Harvester APT group has quietly expanded its espionage arsenal with a new Linux variant…

Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also…

A newly discovered Linux variant of the GoGra backdoor is being used by the Harvester…

North Korean threat actors are once again leveraging deceptive remote work schemes to infiltrate global…

North Korea-linked hackers are using AI-assisted malware and backdoored coding challenges to quietly loot millions…