LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

2026-04-24

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

LMDeploy's CVE-2026-33626 SSRF vulnerability was actively exploited within 13 hours of public disclosure.

•CVE-2026-33626 (CVSS 7.5) is a Server-Side Request Forgery vulnerability in the vision-language module affecting LMDeploy versions 0.12.0 and prior.
•The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses.
•Successful exploitation enables attackers to steal cloud credentials, access internal services, port scan networks, and create lateral movement opportunities.
•Sysdig detected the first exploitation attempt within 12 hours 31 minutes of disclosure, using SSRF to target AWS IMDS, Redis, MySQL, and perform DNS exfiltration.
•This pattern reflects how AI infrastructure vulnerabilities are weaponized within hours, accelerated by detailed advisories that LLMs can convert into working exploits.

Related Articles