Cyber Resilience

CVE-2026-33626

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.4525 98.6th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-33626 is a high-severity SSRF (CWE-918) vulnerability in Internlm Lmdeploy. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 contain a Server-Side Request Forgery vulnerability in the vision-language module, specifically in the load_image function within lmdeploy/vl/utils.py, which retrieves content from arbitrary URLs without validating internal or private IP addresses. This flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can supply a crafted URL to the affected function and force the server to issue requests against internal resources such as cloud metadata services or private network endpoints, potentially disclosing sensitive data. Exploitation requires no user interaction or privileges and can be performed over the network.

The official GitHub advisory GHSA-6w67-hwm5-92mq and the 0.12.3 release notes state that the issue is resolved by updating to version 0.12.3, which incorporates input validation for URLs in the load_image function; the corresponding commit and pull request are referenced in the advisory.

The EPSS score has remained flat at 0.0870 with no material increase after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses,…

more

allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing LMDeploy server directly enables T1190 for initial access and facilitates T1522 by allowing unauthenticated requests to cloud instance metadata endpoints for credential/info disclosure.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67729Same product: Internlm Lmdeploy
CVE-2026-30832Shared CWE-918
CVE-2026-28467Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-34367Shared CWE-918
CVE-2026-27829Shared CWE-918
CVE-2026-6604Shared CWE-918
CVE-2025-8085Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2026-33752Shared CWE-918

Affected Assets

internlm
lmdeploy
≤ 0.12.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of URL inputs to the load_image() function to block fetches to internal/private IP addresses or cloud metadata services, directly addressing the SSRF vulnerability.

prevent

Boundary protection enforces network-level filtering to block unauthorized outbound requests to internal networks and sensitive resources exploited via SSRF.

prevent

Ensures timely remediation of the specific SSRF flaw through patching to LMDeploy version 0.12.3 or later, eliminating the vulnerable load_image() behavior.

References