CT
CyberTimes
HomeThreat WatchCVE-2026-33626
Vulnerability Advisory

CVE-2026-33626

CVE-2026-33626 is a CVSS 7.5 Server-Side Request Forgery vulnerability in LMDeploy's vision-language module exploited within 12 hours and 31 minutes of disclosure. Attackers used the AI image loader to steal AWS credentials, scan internal networks, and probe Redis and MySQL — no PoC needed.

Severity
high
CVSS Score
7.5 / 10
Fix Status
Patch available
Exploitation
Actively exploited
Published
Apr 24, 2026

Affected Products

  • LMDeploy — all versions 0.12.0 and earlier with vision language (VLM) support enabled Affected models include deployments using internlm-xcomposer2, OpenGVLab/InternVL2-8B, and any other vision-language model served through LMDeploy's inference stack

Key Facts

  • CVE-2026-33626 is a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language load_image() function that fetches arbitrary URLs without validating internal or private IP addresses — allowing attackers to reach cloud metadata services, internal networks, and sensitive backend resources.
  • Sysdig's honeypot detected the first exploitation attempt just 12 hours and 31 minutes after the advisory was published on GitHub — with no proof-of-concept code publicly available at the time — confirming attackers built a working exploit directly from reading the advisory description.
  • The attacker conducted a methodical 8-minute session across 10 requests, probing the AWS Instance Metadata Service (IMDS) for cloud credentials, scanning Redis, MySQL, and internal HTTP admin interfaces, and confirming external DNS exfiltration capability — a complete cloud credential theft and internal reconnaissance operation.
  • This is part of an accelerating pattern: AI infrastructure tools including LMDeploy, Marimo, and inference servers are being weaponized within hours of disclosure regardless of install base size, as detailed advisory language effectively provides LLM-ready exploit blueprints to attackers.

Full Analysis

CVE-2026-33626: LMDeploy SSRF Flaw Exploited in 12 Hours — Attackers Stole AWS Cloud Credentials via AI Image Loader

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →
← All threat reportsAll articles