CVE-2026-33626
Published: 20 April 2026
Summary
CVE-2026-33626 is a high-severity SSRF (CWE-918) vulnerability in Internlm Lmdeploy. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of URL inputs to the load_image() function to block fetches to internal/private IP addresses or cloud metadata services, directly addressing the SSRF vulnerability.
Boundary protection enforces network-level filtering to block unauthorized outbound requests to internal networks and sensitive resources exploited via SSRF.
Ensures timely remediation of the specific SSRF flaw through patching to LMDeploy version 0.12.3 or later, eliminating the vulnerable load_image() behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing LMDeploy server directly enables T1190 for initial access and facilitates T1522 by allowing unauthenticated requests to cloud instance metadata endpoints for credential/info disclosure.
NVD Description
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses,…
more
allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
Deeper analysisAI
CVE-2026-33626 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models. The issue resides in the vision-language module, specifically the `load_image()` function in `lmdeploy/vl/utils.py`, which fetches arbitrary URLs without validating internal or private IP addresses. Versions of LMDeploy prior to 0.12.3 are vulnerable, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Remote, unauthenticated attackers can exploit this vulnerability by tricking the LMDeploy server into making requests to attacker-controlled URLs. This allows access to cloud metadata services (such as instance metadata endpoints), internal networks, and other sensitive resources behind firewalls, potentially leading to information disclosure without impacting integrity or availability.
The vulnerability is patched in LMDeploy version 0.12.3, as detailed in the project's security advisory (GHSA-6w67-hwm5-92mq), release notes, associated pull request (#4447), and patching commit (71d64a339edb901e9005358e0633fbbab367d626). Security practitioners should upgrade to 0.12.3 or later and review deployments of LMDeploy's vision-language features for exposure.
LMDeploy's role in deploying vision-language models for AI inference highlights relevance to machine learning operations, where SSRF risks could expose training data or model-serving infrastructure in cloud environments. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-04-20.
Details
- CWE(s)