A critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy’s vision-language module was weaponized in active attacks just 12 hours and 31 minutes after its public disclosure with no proof-of-concept code required, underscoring the growing threat to AI inference infrastructure.
On April 21, 2026, GitHub published security advisory GHSA-6w67-hwm5-92mq, subsequently assigned CVE-2026-33626 a high-severity SSRF flaw carrying a CVSS score of 7.5.
The vulnerability affects LMDeploy, an open-source toolkit developed by Shanghai AI Laboratory (InternLM) for serving vision-language and text large language models (LLMs).
LMDeploy SSRF Vulnerability
The root cause resides in the load_image() function within lmdeploy/vl/utils.py, which fetches image URLs supplied via API requests without validating whether those URLs resolve to internal or private network addresses.
Any attacker capable of sending a chat completion request can force the server to retrieve arbitrary internal URLs including cloud metadata services, local databases, and sensitive administrative endpoints and return their contents in the response.
According to the Sysdig Threat Research Team (TRT), which deployed a honeypot running a vulnerable LMDeploy instance shortly after the advisory went live, the first exploitation attempt occurred at 03:35 UTC on April 22, 2026.
The attack originated from IP address 103.116.72.119, attributed to Prime Security Corp. in Kowloon Bay, Hong Kong.
Critically, no public proof-of-concept existed at the time. The advisory text alone which named the affected file, the vulnerable parameter, and the absent validation logic was sufficient for the attacker to construct a working exploit.
Three-Phase Attack in Eight Minutes
The attacker executed 10 distinct requests across three phases within a single eight-minute session:
- Phase 1 – Cloud metadata and Redis probe: Targeted the AWS Instance Metadata Service (IMDS) endpoint at
169.254.169.254to harvest IAM credentials, then pivoted to confirm an open Redis port at127.0.0.1:6379 - Phase 2 – Out-of-band (OOB) confirmation: Issued a DNS callback to
cw2mhnbd.requestrepo.com(an OAST service) to verify unrestricted external egress, validating the blind SSRF channel - Phase 3 – Admin-plane and localhost port sweep: Probed
/distserve/p2p_drop_connect, an unauthenticated endpoint capable of disrupting LMDeploy’s internal ZMQ inference routing, then swept loopback ports 8080, 3306, and 80 in just 36 seconds
CVE-2026-33626 exposes a dangerous pattern in modern AI deployments. LMDeploy inference servers typically run on GPU cloud instances carrying broad IAM roles, granting access to S3 model artifacts, training datasets, and potentially cross-account privileges, making a single SSRF flaw a gateway to significant cloud compromise.
Despite LMDeploy boasting nearly 7,800 GitHub stars, it does not appear in CISA’s Known Exploited Vulnerabilities (KEV) catalog, illustrating how niche AI-infrastructure tools routinely evade standard enterprise scanning workflows.
Remediation
Organizations should upgrade immediately to LMDeploy v0.12.3 or later, which introduces a _is_safe_url() check blocking requests to private IP ranges and link-local addresses. Additional hardening steps include:
- Placing a reverse proxy in front of the inference API to strip or rewrite internal URLs
- Applying strict egress firewall rules on all GPU instances
- Inventorying all AI-serving tools including vLLM, TGI, Ray Serve, and LMDeploy under formal CVE scanning programs
Indicators of Compromise (IOCs)
| Type | Value | Purpose |
|---|---|---|
| Source IP | 103.116.72.119 | Attacker origin (HK, AS400618) |
| OOB Domain | cw2mhnbd.requestrepo.com | Blind SSRF confirmation |
| SSRF Target | 169.254.169.254/latest/meta-data/iam/security-credentials/ | AWS IAM credential theft |
| SSRF Target | 127.0.0.1:6379 | Redis port probe |
| SSRF Target | 127.0.0.1:3306 | MySQL port probe |
No Comment! Be the first one.