LMDEPLOY’S high-severity vulnerability CVE-2026-33626 was exploited within 13 hours of its public disclosure, exposing a Server-Side Request Forgery flaw in the project’s vision-language module. According to Sysdig, the advisory notes that the load_image() function in lmdeploy/vl/utils[.]py fetches arbitrary URLs without validating internal/private IP addresses, enabling access to cloud metadata services, internal networks, and sensitive resources.
The flaw affects all LMDeploy versions with vision language support (0.12.0 and prior), and Igor Stepansky of Orca Security is credited with discovery and reporting.
Sysdig detected the first exploitation against its honeypot systems within 12 hours and 31 minutes of the vulnerability being published on GitHub, with the attack originating from IP 103.116.72[.]119 and carried out over an eight‑minute session that used the vision-language image loader as a generic HTTP SSRF primitive to port-scan internal services, including AWS Instance Metadata Service, Redis, MySQL, a secondary HTTP admin interface, and an out-of-band DNS exfiltration endpoint. The activity was observed on 22 April 2026 at 03:35 a.m. UTC, illustrating threat actors’ rapid weaponisation of new disclosures.