CVE-2026-33626 (LMDeploy SSRF) Exploited Within 13 Hours of Disclosure; AI-Generated Exploits Weaponized at Machine Speed

Date: 2026-04-28
Tags: malicious-tool, shadow-ai

Executive Summary

CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy disclosed on April 21, 2026, was exploited within 12 hours and 31 minutes, enabling attackers to perform SSRF-based internal network scanning, cloud metadata access, and service enumeration. The advisory included specific details on the affected file, parameter name, and vulnerable code pattern—effectively creating a turnkey exploit prompt for code-generation models, making any advisory naming the vulnerable function or showing the affected code pattern become an instant exploit template in the age of capable code-generation models.

Campaign Summary

Detailed Findings

CVE-2026-33626 is an SSRF vulnerability in LMDeploy's vision-language module where the load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. The attacker did not merely validate the bug, but used it as a port-scanning primitive in a single eight-minute session. Generative AI is accelerating this collapse: an advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit; working exploits have appeared within hours of similar advisories, with no public PoC existing; any advisory that names the vulnerable function, shows the missing check, or quotes the affected code pattern becomes a turnkey exploit in the age of capable code-generation models. Model-serving platforms are frequently deployed outside standard security review and often not covered by CVE scanning until well after disclosure; CVE-2026-33626 fits a consistent pattern where inference and agent-framework SSRF bugs are weaponized within hours of GHSA publication by operators who build from the advisory rather than wait for a public PoC.

MITRE ATT&CK Mapping

IOCs

Domains

_CVSS 7.5; Affected parameter: load_image() in lmdeploy/vl/utils.py; No malware samples or specific IOCs published; exploitation pattern observed via honeypot/telemetry._

Full URL Paths

_CVSS 7.5; Affected parameter: load_image() in lmdeploy/vl/utils.py; No malware samples or specific IOCs published; exploitation pattern observed via honeypot/telemetry._

Splunk Format

_No IOCs available for Splunk query_

Package Indicators

lmdeploy <= 0.12.2

Detection Recommendations

Monitor LMDeploy instances for outbound HTTP/HTTPS requests to link-local (169.254.x.x), loopback (127.x.x.x), and private RFC1918 ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x) originating from vision-LLM endpoints. Implement egress filtering at network level to block outbound connections from AI inference nodes to internal IP ranges. For defenders running AI infrastructure, enforce IMDSv2 with token requirements on cloud instances. Patch LMDeploy to version 0.12.3 or later immediately. Treat vision-LLM image loaders, agent tool-use endpoints, and RAG fetchers as SSRF candidates by default unless explicit egress filtering is applied.

References

• [Sysdig] CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours (2026-04-24) — https://www.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours
• [The Hacker News] LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure (2026-04-24) — https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html
• [Intrucept Labs] Security Flaw in LMDeploy Exploited in 12 hours is CVE-2026-33626 (2026-04-24) — https://intruceptlabs.com/2026/04/security-flaw-in-lmdeploy-exploited-in-12-hours-is-cve-2026-33626/