A critical Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-33626, CVSS 7.5 HIGH) in LMDeploy's `load_image()` function allows attackers to access internal networks and cloud metadata by exploiting improper URL validation. Affected versions include internlm lmdeploy prior to version 0.12.3, and the flaw is being actively exploited for internal reconnaissance. The fixed version is 0.12.3.
AI/ML , Vulnerability Management , Patch/Configuration Management LMDeploy vulnerability exploited, highlighting AI infrastructure risks April 27, 2026 Share By SC Staff As outlined in The Hacker News, a critical security flaw in LMDeploy, an open-source toolkit for managing large language models (LLMs), is being actively exploited in the wild. This vulnerability, identified as CVE-2026-33626, allows for server-side request forgery (SSRF) and poses a significant risk to systems utilizing the toolkit. The SSRF vulnerability resides within LMDeploy's vision-language module, specifically in the load_image() function, which fails to validate internal or private IP addresses when fetching URLs. This allows attackers to access sensitive cloud metadata services, internal networks, and other resources. Researchers at Sysdig detected exploitation attempts within 13 hours of the vulnerability's public disclosure, observing attackers using the flaw to port scan internal networks, target AWS Instance Metadata Service (IMDS) and Redis instances, and perform out-of-band DNS exfiltration. The exploitation involved multiple requests across different vision-language models to evade detection. Source: The Hacker News An In-Depth Guide to AI Get essential knowledge and practical strategies to use AI to better your security program. Learn More SC Staff Related AI/ML US accuses China of industrial-scale AI model theft SC Staff April 27, 2026 According to a White House memo, Chinese entities allegedly used tens of thousands of proxy accounts and jailbreaking techniques to systematically extract capabilities from U.S. frontier AI systems. Vulnerability Management Operating at the speed of the adversary Dr. Darren Death April 27, 2026 Why AI-powered vulnerability discovery makes modernizing your security practices and policies mandatory. AI benefits/risks Governance and compliance are still the biggest barriers to AI success Scott Sacket April 27, 2026 Here are three ways to develop a successful AI governance program. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds