LMDeploy AI Inference Engine Exploited Hours After SSRF Disclosure

LMDeploy, an open-source toolkit for large language models (LLMs) developed by Shanghai AI Laboratory, is facing active exploitation of a high-severity vulnerability. 

The exploited flaw is tracked as CVE-2026-33626 (CVSS score 7.5),  a server-side request forgery (SSRF) in the vision-language module of LMDeploy that allows unauthenticated attackers to fetch arbitrary URLs. The load_image() function fails to validate internal or private IP addresses when processing image_url fields in chat completion requests. This allows attackers to use the inference server as a proxy to reach sensitive internal resources or cloud metadata services.

The flaw was weaponized within 13 hours of its public disclosure on GitHub. Attackers are targeting the vision-language module to perform server-side request forgery (SSRF) attacks against inference servers, allowing them to bypass network boundaries.

Successful exploitation of the LMDeploy flaw allows attackers to steal sensitive data and map internal infrastructure. During observed attacks, adversaries performed port scans on loopback interfaces and targeted the AWS Instance Metadata Service (IMDS) to steal cloud credentials. 

The vulnerability affects all versions of LMDeploy up to and including 0.12.0 that support vision-language models. 

Security researchers detected a multi-phase attack originating from IP 103.116.72[.]119, which used models like internlm-xcomposer2 and InternVL2-8B to mask malicious probes. The attacker also attempted to disrupt services by probing the p2p_drop_connect administrative endpoint, which can tear down connections in disaggregated clusters without requiring authentication.

Organizations should immediately update LMDeploy to version 0.12.3 or later to apply the necessary URL validation patches. To mitigate the risk of credential theft, administrators must enforce IMDSv2 with required session tokens and restrict outbound egress at the network level.