CVE-2026-33626: LMDeploy SSRF Exploited Within 12 Hours of Disclosure for Cloud Metadata Access
Date: 2026-04-23
Tags: malicious-tool, supply-chain
Executive Summary
On April 21, 2026, GitHub published GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy. LMDeploy is a toolkit for serving vision-language and text large language models (LLMs). CVE-2026-33626 in LMDeploy was exploited within 12 hours of disclosure, enabling attackers to use a vision-LLM endpoint for SSRF-based internal network scanning, cloud metadata access, and service enumeration.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | LMDeploy SSRF Weaponization Campaign (CVE-2026-33626) |
| Attribution | Unknown; exploitation activity observed within hours (confidence: low) |
| Target | Organizations running LMDeploy inference servers on internet-accessible infrastructure; cloud environments with LMDeploy deployments |
| Vector | SSRF-based internal network scanning, cloud metadata access, and service enumeration. Three localhost probes in 36 seconds is the signature of a scripted port sweep using the SSRF as a probe primitive. The attacker is not looking for image files; they are instead treating the vision-LLM endpoint as a generic HTTP GET that can reach addresses the external network cannot. |
| Status | active |
| First Observed | 2026-04-21 |
Detailed Findings
Every one of these URLs is blocked by the v0.12.3 _is_safe_url() check. CVE-2026-33626 fits a pattern that we have observed repeatedly in the AI-infrastructure space over the past six months: critical vulnerabilities in inference servers, model gateways, and agent orchestration tools are being weaponized within hours of advisory publication, regardless of the size or extent of their install base. LMDeploy, for instance, has 7,798 GitHub stars, an order of magnitude less than mainstream projects like vLLM or Ollama, and it does not appear in CISA's Known Exploited Vulnerabilities (KEV) catalog. An advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit. We have recently observed and reported on this pattern across multiple recent niche-target exploitations: GHSA publishes, working exploit appears within hours, no public PoC existed. Any advisory that names the vulnerable function, shows the missing check, or quotes the affected code pattern, in the age of capable code-generation models, becomes a turnkey exploit. What distinguishes CVE-2026-33626 from a textbook SSRF is what the primitive unlocks on an AI-serving node: IAM credentials and cloud metadata. Twelve hours and 31 minutes from publication to the first observed exploitation of LMDeploy is short enough that "patch Tuesday" cadences and monthly scans are not a sufficient control. The attacker did not merely validate the bug, but they used it as a port-scanning primitive in a single eight-minute session.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Server-Side Request Forgery (SSRF) | T1190 | Vision-LLM endpoint exploited to perform requests to internal addresses |
| Cloud Metadata Access | T1526 | SSRF used to enumerate cloud metadata endpoints (IAM credentials, service tokens) |
| Active Scanning: Vulnerability Scanning | T1595.002 | Port sweeping and service enumeration via SSRF |
IOCs
Domains
_No specific IOCs published; exploitation focused on localhost enumeration and cloud metadata access patterns_
Full URL Paths
_No specific IOCs published; exploitation focused on localhost enumeration and cloud metadata access patterns_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
lmdeploy@<0.12.3Detection Recommendations
For defenders running AI infrastructure, vision-LLM image loaders, agent tool-use endpoints, and RAG fetchers are all SSRF candidates by default unless explicit egress filtering is applied. Implement strict URL allowlisting for all image retrieval endpoints; monitor for HTTP requests to localhost or private IP ranges (169.254.x.x, 10.x.x.x, 172.16-31.x.x, 192.168.x.x) from LMDeploy processes; audit LMDeploy logs for _is_safe_url() bypass attempts or failed URL validations; implement network segmentation to restrict egress from inference servers; deploy WAF rules to block common SSRF payloads in image URLs. Urgent patching to LMDeploy v0.12.3 or later is critical given the 12-hour exploitation window.
References
- [Sysdig] CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours (2026-04-21) — https://www.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours
- [GitHub Advisory Database] GHSA-6w67-hwm5-92mq (2026-04-21) — https://github.com/advisories/GHSA-6w67-hwm5-92mq