A severe security vulnerability has emerged in LMDeploy, an open-source toolkit designed for compressing, deploying, and serving large language models (LLMs). This flaw, tracked as CVE-2026-33626 with a CVSS score of 7.5, is a Server-Side Request Forgery (SSRF) vulnerability that has been actively exploited less than 13 hours after its disclosure.
According to an advisory released by the maintainers of LMDeploy, this SSRF vulnerability exists within the vision-language module. Specifically, the load_image() function located in lmdeploy/vl/utils.py fails to validate internal or private IP addresses when fetching arbitrary URLs, which poses a risk of sensitive data exposure.
This vulnerability impacts all versions prior to 0.12.0 that support vision-language functionalities. The researcher Igor Stepansky from Orca Security is credited with identifying and reporting this critical flaw.
If successfully exploited, an attacker could access sensitive cloud metadata, steal credentials, port-scan internal networks, and create pathways for lateral movement within the network. An analysis by cloud security firm Sysdig identified exploitation attempts against their honeypots within just over 12 hours following the vulnerability’s public posting, tracing the attack back to the IP address 103.116.72[.]119.
The attacker’s strategy did not simply involve confirming the existence of the vulnerability. In a mere eight-minute session, this individual utilized the vision-language image loader to perform a series of internal network port scans, targeting critical services like AWS Instance Metadata Service (IMDS), Redis, and MySQL. The exploitation trail also indicated attempts to validate external connections via DNS callbacks to confirm SSRF reachability.
On April 22, 2026, at 03:35 UTC, the attack spanned ten distinct requests across three phases, alternating between using different vision-language models (VLMs) to evade detection. The tactics demonstrated in this case are reflective of a broader trend, where threat actors rapidly exploit newly disclosed vulnerabilities with minimal delay, regardless of the size of the affected user base.
Given the details surrounding CVE-2026-33626, it is pertinent for cybersecurity professionals to recognize the potential risks associated with SSRF vulnerabilities. This highlights a concerning pattern in AI infrastructure, where critical vulnerabilities in inference servers and model orchestration tools are swiftly targeted by malicious actors, even before users have had the opportunity to implement necessary patches.
Furthermore, the active exploitation of vulnerabilities in other technologies, such as WordPress plugins and internet-exposed devices, illustrates the diverse landscape of cyber threats currently facing organizations. These incidents serve to reinforce the necessity for robust security measures and awareness among business owners, especially as new vulnerabilities continue to surface in widely used tools and frameworks.