LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

A high-severity SSRF vulnerability in the LMDeploy toolkit was exploited in the wild less than 13 hours after its public disclosure, highlighting the rapid weaponization of AI infrastructure flaws.
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure.
The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data.
"A server-side request forgery (SSRF) vulnerability exists in LMDeploy's vision-language module," according to an advisory published by the project maintainers last week. "The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources."
The shortcoming affects all versions of the toolkit (0.12.0 and prior) with vision language support. Orca Security researcher Igor Stepansky has been credited with discovering and reporting the bug.
Successful exploitation of the vulnerability could permit an attacker to steal cloud credentials, reach internal services that aren't exposed to the internet, port scan internal networks, and create lateral movement opportunities.
Cloud security firm Sysdig, in an analysis published this week, said it detected the first LMDeploy exploitation attempt against its honeypot systems within 12 hours and 31 minutes of the vulnerability being published on GitHub. The exploitation attempt originates from the IP address 103.116.72[.]119.
"The attacker did not simply validate the bug and move on. Instead, over a single eight-minute session, they used the vision-language image loader as a generic HTTP SSRF primitive to port-scan the internal network behind the model server: AWS Instance Metadata Service (IMDS), Redis, MySQL, a secondary HTTP administrative interface, and an out-of-band (OOB) DNS exfiltration endpoint," it said.
The actions undertaken by the adversary, detected on Apr 22, 2026, at 03:35 a.m. UTC, unfolded over 10 distinct requests across three phases, with the requests switching between vision language models (VLMs) such as internlm-xcomposer2 and OpenGVLab/InternVL2-8B to likely avoid raising any suspicion.
AI Accelerating the Exploit Cycle
The findings are yet another reminder of how threat actors are closely watching new vulnerability disclosures and exploiting them before downstream users can apply the fixes, even in cases where no proof-of-concept (PoC) exploits exist at the time of the attack.
"CVE-2026-33626 fits a pattern that we have observed repeatedly in the AI-infrastructure space over the past six months: critical vulnerabilities in inference servers, model gateways, and agent orchestration tools are being weaponized within hours of advisory publication," Sysdig said.
Generative AI is accelerating this collapse. An advisory as specific as GHSA-6w67-hwm5-92mq, which includes the affected file and root-cause explanation, is effectively an input prompt for any commercial LLM to generate a potential exploit.
WordPress Plugins and Modbus Devices Targeted
The disclosure comes as threat actors have also been spotted exploiting vulnerabilities in two WordPress plugins – Ninja Forms – File Upload (CVE-2026-0740) and Breeze Cache (CVE-2026-3844) – to upload arbitrary files, resulting in complete site takeover.
Furthermore, unknown attackers have been linked to a global campaign targeting internet-exposed, Modbus-enabled programmable logic controllers (PLCs) spanning 70 countries and 14,426 distinct targeted IPs. The activity blended large-scale automated probing with selective patterns suggesting deeper device fingerprinting and disruption attempts.
Source: The Hacker News














