CVE-2026-33626: LMDeploy SSRF Exploited Within 12 Hours of Disclosure for Cloud Metadata Access
Date: 2026-04-24
Tags: supply-chain, malicious-tool
Executive Summary
On April 21, 2026, GitHub published GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy. Within 12 hours and 31 minutes of its publication on the main GitHub advisory page, the Sysdig Threat Research Team (TRT) observed the first LMDeploy exploitation attempt against our honeypot fleet. The attacker used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | LMDeploy SSRF Reconnaissance Campaign |
| Attribution | Unknown; opportunistic exploitation (confidence: low) |
| Target | LMDeploy inference servers with cloud hosting and internal network access |
| Vector | Vision-language LLM SSRF via malicious image URL |
| Status | active |
| First Observed | 2026-04-21 |
Detailed Findings
LMDeploy is a toolkit for serving vision-language and text large language models (LLMs) developed by Shanghai AI Laboratory, InternLM. CVE-2026-33626 fits a pattern that has been observed repeatedly in the AI-infrastructure space over the past six months: critical vulnerabilities in inference servers, model gateways, and agent orchestration tools are being weaponized within hours of advisory publication, regardless of the size or extent of their install base. An advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit. Any advisory that names the vulnerable function, shows the missing check, or quotes the affected code pattern, in the age of capable code-generation models, becomes a turnkey exploit. What distinguishes CVE-2026-33626 from a textbook SSRF is what the primitive unlocks on an AI-serving node: IAM credentials and cloud metadata. CVE-2026-33626 in LMDeploy was exploited within 12 hours of disclosure, enabling attackers to use a vision-LLM endpoint for SSRF-based internal network scanning, cloud metadata access, and service enumeration.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Server-Side Request Forgery (SSRF) | T1190 | SSRF vulnerability in vision-language image loader enabling internal network access |
| Reconnaissance | T1592 | Attacker port-scanned AWS IMDS, Redis, MySQL to enumerate internal infrastructure |
IOCs
Domains
_CVE-2026-33626 affects LMDeploy toolkit; affected versions not explicitly specified in available advisory text; GitHub advisory GHSA-6w67-hwm5-92mq is primary reference_
Full URL Paths
_CVE-2026-33626 affects LMDeploy toolkit; affected versions not explicitly specified in available advisory text; GitHub advisory GHSA-6w67-hwm5-92mq is primary reference_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
lmdeployDetection Recommendations
Monitor for unexpected outbound HTTP requests from LMDeploy processes, especially to 169.254.169.254 (AWS IMDS), localhost on non-standard ports (6379 for Redis, 3306 for MySQL), or external DNS exfiltration endpoints. Log all image loading requests and validate URL safety against a whitelist. Implement least-privilege IAM roles for LMDeploy service accounts to limit IMDS credential exposure. Apply network segmentation to restrict LMDeploy access to internal resources.
References
- [Sysdig Threat Research Team] CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours (2026-04-23) — https://webflow.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours
- [GitHub Security Advisory] GHSA-6w67-hwm5-92mq: SSRF in LMDeploy (2026-04-21) — https://github.com/advisories/GHSA-6w67-hwm5-92mq