A high-severity flaw in LMDeploy was being actively exploited less than 13 hours after public disclosure, with attackers using the issue to probe internal services and cloud metadata endpoints, according to a technical analysis from Sysdig. The vulnerability, tracked as CVE-2026-33626, affects versions 0.12.0 and earlier with vision language support.
KEY FACTS
- Bug type Server-side request forgery in the vision language module
- Affected software LMDeploy 0.12.0 and earlier with vision language support
- Discovery Orca Security researcher Igor Stepansky reported the flaw
- Exploitation Sysdig said it saw an attack within 12 hours and 31 minutes of disclosure
- Impact The flaw could expose cloud credentials and internal services
The advisory said the load_image() function in lmdeploy/vl/utils.py can fetch arbitrary URLs without checking for internal or private IP addresses. That behavior could allow access to cloud metadata services, internal networks and other sensitive resources.
Sysdig said the first attack came from IP address 103.116.72[.]119 and ran for eight minutes across 10 requests. The activity targeted AWS Instance Metadata Service, Redis, MySQL, a secondary HTTP administrative interface and an out-of-band DNS endpoint used to confirm external reachability.
The report said the attacker also switched between different vision language models during the session, likely to avoid suspicion, and used the SSRF path to port scan the loopback interface at 127.0.0[.]1. The company said the pattern showed the flaw was being used as a general HTTP SSRF primitive rather than only for validation.
LMDeploy maintainers said the issue affects all versions through 0.12.0 with vision language support. The disclosure did not say whether a patch had reached all users at the time of the attack, but it warned that successful exploitation could enable credential theft, internal reconnaissance and lateral movement opportunities.
WHY IT MATTERS
The case shows how quickly newly disclosed flaws in AI infrastructure can be turned into live attacks. It also highlights the risk that a single SSRF issue can give outsiders a way to reach internal services and cloud metadata systems that are not exposed to the public internet.