CVE-2026-33626 LMDeploy SSRF Exploited Within 13 Hours: Attackers Weaponize AI-Generated Exploits for Cloud Metadata Theft
Date: 2026-05-05
Tags: supply-chain
Executive Summary
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models (LLMs), has come under active exploitation in the wild less than 13 hours after its public disclosure; the vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data. On April 21, 2026, GitHub published GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy; within 12 hours and 31 minutes of its publication on the main GitHub advisory page, the Sysdig Threat Research Team (TRT) observed the first LMDeploy exploitation attempt against their honeypot fleet.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | LMDeploy Vision-Language SSRF Exploitation Campaign |
| Attribution | Unknown; likely automation via AI-generated exploit code (confidence: low) |
| Target | Organizations deploying LMDeploy vision-language models; AI inference infrastructure providers |
| Vector | SSRF via load_image() function; cloud metadata service enumeration; internal network scanning |
| Status | active |
| First Observed | 2026-04-21 |
Detailed Findings
A server-side request forgery (SSRF) vulnerability exists in LMDeploy's vision-language module; the load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Over a single eight-minute session, they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint. Generative AI (GenAI) is accelerating exploit development; an advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file, parameter name, root-cause explanation, and sample vulnerable code, is effectively an input prompt for any commercial LLM to generate a potential exploit.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Server-Side Request Forgery | T1190 | Attacker abuses load_image() function to fetch arbitrary URLs and access cloud metadata services and internal networks |
| Cloud Metadata Theft | T1552.001 | SSRF primitive used to enumerate and extract AWS IMDS credentials, internal service credentials, and network topology |
IOCs
Domains
_Vulnerable versions: 0.12.0 and prior with vision language support; patched in v0.12.3_
Full URL Paths
_Vulnerable versions: 0.12.0 and prior with vision language support; patched in v0.12.3_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
lmdeployDetection Recommendations
Monitor LMDeploy load_image() requests for non-standard IP ranges and RFC 1918 addresses; detect requests to AWS metadata endpoints (169.254.169.254); log and alert on DNS exfiltration attempts from LMDeploy processes; implement egress filtering to block outbound requests to internal/reserved IP ranges from model serving nodes; audit LMDeploy deployment versions to ensure all instances are >= 0.12.3; monitor for port scanning patterns from model inference endpoints; implement URL allowlist/blocklist for image loading with strict validation of IP address ranges.
References
- [Sysdig] CVE-2026-33626: How attackers exploited LMDeploy LLM Inference Engines in 12 hours (2026-04-25) — https://www.sysdig.com/blog/cve-2026-33626-how-attackers-exploited-lmdeploy-llm-inference-engines-in-12-hours
- [The Hacker News] LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure (2026-04-25) — https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html