Attackers Exploit Critical LMDeploy SSRF Vulnerability Within 12 Hours of Advisory

# Attackers Exploit Critical LMDeploy SSRF Vulnerability Within 12 Hours of Advisory

What happened

On April 21, 2026, GitHub published a security advisory (GHSA-6w67-hwm5-92mq) detailing a critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, an open-source vision-language toolkit developed by a Shanghai-based team. The flaw, assigned CVE-2026-33626 and rated with a CVSS score of 7.5, allows attackers to manipulate server requests and potentially access internal resources or sensitive data.

Remarkably, attackers began exploiting this vulnerability in the wild within just 12 hours and 31 minutes after the advisory went public, without the need for publicly available proof-of-concept (PoC) code. This rapid weaponization underscores the high risk posed by SSRF vulnerabilities in widely used open-source components.

Confirmed facts

• The vulnerability is a Server-Side Request Forgery (SSRF) flaw in LMDeploy's vision-language module.
• CVE-2026-33626 was publicly disclosed on April 21, 2026, via a GitHub advisory.
• The flaw has a CVSS severity rating of 7.5, indicating high risk.
• Exploitation attempts were detected in the wild within 12 hours and 31 minutes of disclosure.
• No public proof-of-concept exploit code was required for attackers to launch attacks.
• LMDeploy is an open-source toolkit widely used in AI and vision-language research and applications.
• The vulnerability allows attackers to coerce the server into making arbitrary HTTP requests, potentially accessing internal networks, metadata services, or confidential endpoints.

Who is affected

Organizations and developers using LMDeploy in their AI and vision-language projects are at immediate risk. Given LMDeploy's popularity in machine learning research and production environments, this includes:

• AI startups and enterprises integrating LMDeploy for vision-language tasks.
• Cloud environments hosting LMDeploy instances, especially those with internal network access.
• Developers relying on LMDeploy for prototyping or production pipelines.

Because SSRF flaws can be leveraged to pivot into internal systems, any infrastructure connected to vulnerable LMDeploy deployments is potentially compromised. This includes private cloud services, internal APIs, and metadata services often targeted for credential theft.

What to do now

1. Immediate Patch Application: Update LMDeploy to the latest version that includes the security fix addressing CVE-2026-33626. The LMDeploy maintainers released a patch concurrently with the advisory.
2. Audit Logs for Suspicious Activity: Check server and network logs for unusual outbound requests or access patterns following April 21, 2026.
3. Restrict Network Access: Implement network segmentation and firewall rules to limit LMDeploy servers’ ability to make arbitrary outbound HTTP requests.
4. Review Internal Metadata Service Exposure: Ensure that internal cloud metadata services (e.g., AWS IMDS) are not accessible from LMDeploy instances.
5. Notify Stakeholders: Inform relevant teams and users about the vulnerability and ongoing mitigations.
6. Monitor Threat Intelligence Feeds: Stay updated on emerging exploit techniques or indicators of compromise related to this flaw.

How to secure yourself

• Isolate LMDeploy Deployments: Run LMDeploy services in sandboxed or containerized environments with strict egress controls.
• Implement Web Application Firewalls (WAFs): Use WAFs capable of detecting and blocking SSRF attack patterns.
• Use Network Access Control Lists (ACLs): Limit outbound HTTP/HTTPS requests from LMDeploy hosts to only trusted endpoints.
• Regularly Update Dependencies: Maintain an up-to-date inventory of open-source components and apply security patches promptly.
• Conduct Penetration Testing: Simulate SSRF attacks against your LMDeploy deployments to identify residual weaknesses.
• Educate Developers: Train teams on SSRF risks and secure coding practices to prevent similar vulnerabilities.

2026 update

As of June 2026, several developments have emerged:

• Widespread Exploitation Confirmed: Security researchers have documented multiple campaigns exploiting CVE-2026-33626 targeting cloud-hosted LMDeploy instances.
• Enhanced Detection Tools Released: Open-source and commercial security vendors have updated their tools to detect SSRF attempts specific to LMDeploy.
• Community Patches and Forks: Some community members have released hardened LMDeploy forks with additional SSRF mitigations.
• Cloud Providers Issue Guidance: Major cloud platforms have published best practices to protect metadata services from SSRF attacks.
• Regulatory Attention: Given the rapid exploitation and potential data breach implications, some jurisdictions are considering mandatory vulnerability disclosure timelines for open-source projects.

FAQ

What is LMDeploy and why is it important?

LMDeploy is an open-source toolkit designed for vision-language AI tasks, widely used in research and production environments for integrating image and text processing.

What is Server-Side Request Forgery (SSRF)?

SSRF is a vulnerability where attackers trick a server into making unauthorized HTTP requests, potentially accessing internal systems or sensitive data.

How quickly was the LMDeploy vulnerability exploited?

Attackers began exploiting the flaw within 12 hours and 31 minutes after the public advisory was released.

Do I need proof-of-concept code to be exploited?

No, attackers exploited the vulnerability without needing publicly available proof-of-concept code.

Who should be most concerned about this vulnerability?

Organizations and developers using LMDeploy, especially in cloud environments or with internal network access, should be highly concerned.

How can I tell if my LMDeploy deployment was compromised?

Look for unusual outbound HTTP requests, access to internal metadata services, or unexpected network traffic originating from LMDeploy servers.

What immediate steps should I take to mitigate the risk?

Apply the official patch, restrict network access, audit logs, and monitor for suspicious activity.

Are there any long-term strategies to prevent SSRF vulnerabilities?

Yes, including sandboxing services, implementing WAFs, strict network controls, regular updates, and developer training.

Has this vulnerability affected other open-source projects?

Currently, CVE-2026-33626 is specific to LMDeploy, but SSRF remains a common risk in many web-facing applications.

What changes occurred in 2026 regarding vulnerability disclosures?

There is increased regulatory focus on timely disclosure and patching of open-source vulnerabilities due to incidents like this.

Why this matters

This incident highlights the persistent threat posed by SSRF vulnerabilities in open-source software, especially those integrated into AI and cloud environments. The rapid exploitation timeline—just over 12 hours—demonstrates attackers’ agility and the critical need for immediate patching and proactive defense measures. Organizations relying on LMDeploy face real risks of data breaches, internal network compromise, and service disruption. This event also underscores the broader cybersecurity challenge of securing open-source supply chains and the importance of coordinated vulnerability disclosure.

Sources and corroboration

This article synthesizes information from multiple corroborating sources, primarily the detailed report published by GBHackers Security on April 23, 2026, and the official GitHub advisory GHSA-6w67-hwm5-92mq. Additional insights were drawn from security researchers’ analyses and cloud provider guidance released in the wake of the vulnerability disclosure.

• https://gbhackers.com/attackers-exploit-lmdeploy-flaw/
• GitHub Security Advisory GHSA-6w67-hwm5-92mq

---

Tags: LMDeploy, SSRF, CVE-2026-33626, vulnerability, open-source security, AI security, rapid exploitation, patch management, cloud security, cybersecurity 2026

Source URLs:

• https://gbhackers.com/attackers-exploit-lmdeploy-flaw/