LMDeploy SSRF exploited within 13 hours to access metadata

A Server-Side Request Forgery (SSRF) vulnerability in LMDeploy was actively exploited less than 13 hours after the issue was published, allowing attackers to access cloud metadata, probe internal services and scan ports on model servers. The bug is tracked as CVE-2026-33626 and carries a CVSS score of 7.5. It affects all LMDeploy releases up to 0.12.0 that include vision‑language support.

The project advisory describes the root cause: the load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating whether addresses are internal or private. The advisory states, “The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources.” Orca Security researcher Igor Stepansky is credited with discovering and reporting the flaw.

Cloud security firm Sysdig detected the first exploitation attempt against its honeypots on April 22, 2026 at 03:35 UTC. The activity originated from IP address 103.116.72.119 and took place over an eight‑minute session that included 10 requests across three phases. The attacker used the vision‑language image loader as a generic HTTP SSRF primitive to map services behind the model server.

During the session the actor tested reachability with an out‑of‑band DNS callback to requestrepo[.]com, enumerated internal API endpoints, and targeted AWS Instance Metadata Service (IMDS), Redis and MySQL instances. The attacker also scanned the loopback interface (127.0.0.1) and alternated requests between different vision language models, including internlm‑xcomposer2 and OpenGVLab/InternVL2‑8B, likely to vary request patterns.

Successful exploitation can expose cloud credentials held in metadata services, allow access to internal services not exposed to the internet, enable internal network port scanning and create opportunities for lateral movement. The maintainers published the affected file path and sample vulnerable code to help users identify and patch the issue.

Sysdig noted that the speed of exploitation is consistent with recent activity in AI infrastructure, where flaws in inference servers, model gateways and orchestration tools have been weaponized within hours of disclosure. The company observed that advisories containing file paths and vulnerable code can be used as inputs to automated tools that accelerate exploit development.

The LMDeploy advisory recommends updating to a fixed release when available, disabling or restricting vision‑language features until patched, and monitoring outbound requests from model servers for unusual activity. Operators are advised to check for any access to cloud metadata endpoints and unexpected internal network scans.

Related activity includes exploitation of two WordPress plugin vulnerabilities, CVE‑2026‑0740 and CVE‑2026‑3844, which have been used to upload files and achieve remote code execution on vulnerable sites. A separate campaign from September to November 2025 probed internet‑exposed Modbus‑enabled programmable logic controllers across 70 countries and 14,426 distinct IPs, with many probes traced to sources in the United States, France, Japan, Canada and India.

Administrators of LMDeploy deployments that use vision‑language capabilities should verify version numbers, apply updates when they become available, restrict servers’ ability to fetch arbitrary external resources and log outbound traffic from inference instances.