LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure. The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Requ

# Active Exploitation of LMDeploy SSRF Flaw Detected Hours After Disclosure

## The Threat

A critical security vulnerability in LMDeploy, the popular open-source toolkit for compressing and deploying large language models, has entered active exploitation in the wild less than 13 hours after its public disclosure. Tracked as CVE-2026-33626, the flaw is a Server-Side Request Forgery (SSRF) vulnerability that allows unauthenticated attackers to make arbitrary HTTP requests from an affected server, potentially exposing sensitive internal data, credentials, and metadata.

The vulnerability exists in LMDeploy's request handling mechanisms, where insufficient input validation on URL parameters permits attackers to manipulate the application into accessing internal network resources and cloud metadata services. This is particularly dangerous for deployments running on cloud infrastructure (AWS, Azure, GCP), where metadata endpoints accessible from the server can leak temporary credentials, secrets, and instance configuration details.

Security researchers and threat intelligence teams reported the first exploitation attempts within hours of the CVE announcement, suggesting the vulnerability was either discovered through rapid vulnerability scanning or leaked prior to official disclosure. Organizations running LMDeploy in production environments face immediate risk of data exfiltration and unauthorized lateral movement within their infrastructure.

## Severity and Impact

| Field | Value |

|-----------|-----------|

| CVE ID | CVE-2026-33626 |

| CVSS v3.1 Score | 7.5 (High) |

| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |

| Attack Vector | Network |

| Attack Complexity | Low |

| Privileges Required | None |

| User Interaction | None |

| CWE ID | CWE-918 (Server-Side Request Forgery) |

| Exploitability | Actively exploited in the wild |

The CVSS score of 7.5 reflects the high confidentiality impact: attackers can retrieve sensitive information without authentication or user interaction. The low attack complexity means the exploit requires no special conditions or timing—a simple malformed request can trigger the vulnerability. Organizations should prioritize patching within 24-48 hours.

## Affected Products

LMDeploy Versions:

LMDeploy < 0.4.2 (all versions prior to 0.4.2 are affected)

- Specifically vulnerable in versions 0.3.x, 0.4.0, and 0.4.1

- Version 0.4.2 and later contain the security patch

Deployment Scenarios at Highest Risk:

LMDeploy instances deployed on cloud infrastructure (AWS EC2, Azure VMs, Google Compute Engine)

Containers running LMDeploy with access to cloud metadata endpoints (169.254.169.254)

Kubernetes deployments using LMDeploy without network policies restricting egress

Instances with IAM roles or service account credentials attached

Multi-tenant deployments where users can specify custom model URLs or endpoints

Organizations running LMDeploy in air-gapped environments or with strict egress filtering face lower immediate risk, but should still apply patches to address the underlying vulnerability.

## Mitigations

Immediate Actions (Next 24 Hours):

1. Patch Immediately: Update LMDeploy to version 0.4.2 or later. Patches are available on the official GitHub repository. For production environments, test the update in a staging environment first, but do not delay deployment beyond 24 hours.

2. Network Segmentation: Restrict outbound HTTP/HTTPS traffic from LMDeploy instances to only necessary external endpoints. Block access to cloud metadata endpoints (169.254.169.254 on AWS, internal.azureservices.com on Azure, metadata.google.internal on GCP) at the network layer using security groups, firewalls, or Kubernetes NetworkPolicies.

3. Credential Rotation: If your LMDeploy instances have IAM roles or service account credentials, rotate all credentials immediately, as they may have been accessed through the SSRF vulnerability.

Short-Term Hardening (This Week):

4. Input Validation Audit: Review custom configurations and any user-supplied URLs passed to LMDeploy. Implement strict validation to ensure only trusted endpoints are accessible.

5. Web Application Firewall (WAF): Deploy a WAF in front of LMDeploy instances to block requests to suspicious internal ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, cloud metadata endpoints).

6. Logging and Monitoring: Enable detailed request logging on LMDeploy to identify any exploitation attempts. Monitor for outbound connections to unexpected destinations, particularly internal IP ranges or cloud metadata endpoints.

7. Cloud Metadata Protection: On AWS, use IMDSv2 (Instance Metadata Service Version 2) which requires session tokens, making exploitation more difficult. On Azure and GCP, review IAM policies to limit what metadata and secrets are available to compute instances.

Long-Term Recommendations:

8. Keep Software Updated: Subscribe to LMDeploy security advisories and apply patches promptly. Use automated dependency scanning tools in your CI/CD pipeline to flag vulnerable versions.

9. Zero-Trust Architecture: Implement least-privilege access for all services. LMDeploy should only have credentials and network access required for its specific function—avoid over-privileged service accounts.

10. Security Scanning: Regularly scan your environment for exposed LMDeploy instances and verify patch levels using vulnerability assessment tools.

## References

LMDeploy GitHub Security Advisory: https://github.com/InternLM/lmdeploy/security/advisories/

CVE-2026-33626 Details: https://nvd.nist.gov/vuln/detail/CVE-2026-33626

CWE-918 (SSRF): https://cwe.mitre.org/data/definitions/918.html

OWASP SSRF Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html

LMDeploy Official Repository: https://github.com/InternLM/lmdeploy

---

Key Takeaway: This vulnerability exemplifies the speed at which open-source security flaws can be weaponized. The 13-hour exploitation window between disclosure and wild attacks demands immediate action from anyone running LMDeploy. Patching to version 0.4.2+ should be treated as an emergency maintenance task, followed by credential rotation and network-level defenses to prevent future data exfiltration.