New LMDeploy Vulnerability Exploited in the Wild Just 12 Hours After Public Advisory

A new Server-Side Request Forgery (SSRF) flaw in LMDeploy, tracked as CVE-2026-33626, has been weaponized in the wild just 12 hours and 31 minutes after its public GitHub advisory went live.

LMDeploy is a toolkit developed by Shanghai AI Laboratory’s InternLM project for serving vision-language and text LLMs through an OpenAI-compatible API, and is widely used to host models such as InternVL2, internlm-xcomposer2, and Qwen2-VL.

On April 21, 2026, GitHub published advisory GHSA-6w67-hwm5-92mq, later assigned CVE-2026-33626, describing an SSRF issue in LMDeploy’s vision-language image loader.

Versions before 0.12.3 use a vulnerable load_image() implementation that fetches arbitrary URLs from the image_url field without validating hostnames, IP ranges, or schemes.

This allows an attacker to coerce the model server into making HTTP requests into internal networks, cloud metadata services, or other protected endpoints that are not directly exposed to the internet.

According to telemetry from the Sysdig Threat Research Team (TRT), the first exploitation attempt against a honeypot running vulnerable LMDeploy was observed at 03:35 UTC on April 22, 2026, originating from IP address 103.116.72.119 in Kowloon Bay, Hong Kong.

The attempt came just 12 hours and 31 minutes after the advisory appeared on the main GitHub advisory page, despite the absence of any public proof-of-concept exploit code in common repositories at that time.

This reinforces a growing pattern in AI infrastructure attacks, where adversaries rapidly convert advisory details directly into working exploits without waiting for public PoCs.

The attacker’s activity during an eight-minute session shows deliberate weaponization of LMDeploy’s vision-image loader as a generic HTTP SSRF primitive rather than a one-off bug check.

Initial requests targeted AWS Instance Metadata Service (IMDS) at 169.254.169.254 to attempt IAM credential exfiltration, followed by probes against localhost Redis on port 6379 and MySQL on port 3306, as well as a likely secondary HTTP administrative interface on ports 8080 and 80.

The actor also used an out-of-band DNS/HTTP callback domain hosted on requestrepo.com to confirm blind SSRF and egress capabilities, a common technique in modern application security testing and exploitation.

Beyond reconnaissance, the attacker probed LMDeploy’s distributed serving plane by calling an unauthenticated administrative endpoint under /distserve, attempting to disrupt internal model-engine connections and potentially degrade inference.

This demonstrates awareness of LMDeploy’s disaggregated architecture and highlights how SSRF in AI-serving components can quickly pivot into availability and lateral-movement risks.

CVE-2026-33626 has been rated high severity (CVSS 7.5) by multiple vendors and affects LMDeploy versions before 0.12.3.

The patched release introduces stricter URL safety checks to block requests to link-local, loopback, and private RFC1918 ranges, closing off the internal port-scanning and metadata-access vector.

Security teams running LMDeploy or similar AI inference stacks are urged to upgrade to LMDeploy v0.12.3 or later, enforce IMDSv2 with token requirements on cloud instances, and restrict outbound egress from GPU and inference nodes to only necessary destinations such as object storage and logging endpoints.

With exploitation observed within hours of disclosure, periodic patch cycles and slow response processes are increasingly insufficient for protecting AI-serving infrastructure from fast-moving SSRF-driven attacks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post New LMDeploy Vulnerability Exploited in the Wild Just 12 Hours After Public Advisory appeared first on Cyber Security News.