CVE-2026-33626
Published: 20 April 2026
Summary
CVE-2026-33626 is a high-severity SSRF (CWE-918) vulnerability in Internlm Lmdeploy. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 contain a Server-Side Request Forgery vulnerability in the vision-language module, specifically in the load_image function within lmdeploy/vl/utils.py, which retrieves content from arbitrary URLs without validating internal or private IP addresses. This flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 7.5.
An unauthenticated remote attacker can supply a crafted URL to the affected function and force the server to issue requests against internal resources such as cloud metadata services or private network endpoints, potentially disclosing sensitive data. Exploitation requires no user interaction or privileges and can be performed over the network.
The official GitHub advisory GHSA-6w67-hwm5-92mq and the 0.12.3 release notes state that the issue is resolved by updating to version 0.12.3, which incorporates input validation for URLs in the load_image function; the corresponding commit and pull request are referenced in the advisory.
The EPSS score has remained flat at 0.0870 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23970
Vulnerability details
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses,…
more
allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing LMDeploy server directly enables T1190 for initial access and facilitates T1522 by allowing unauthenticated requests to cloud instance metadata endpoints for credential/info disclosure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of URL inputs to the load_image() function to block fetches to internal/private IP addresses or cloud metadata services, directly addressing the SSRF vulnerability.
Boundary protection enforces network-level filtering to block unauthorized outbound requests to internal networks and sensitive resources exploited via SSRF.
Ensures timely remediation of the specific SSRF flaw through patching to LMDeploy version 0.12.3 or later, eliminating the vulnerable load_image() behavior.