EXECUTIVE SUMMARY:
CVE-2026-33626 with a CVSS score of 7.5 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting LMDeploy, a toolkit for serving vision-language and large language models (LLMs), specifically impacting versions v0.12.2 and earlier. The vulnerability arises from the lack of critical security checks, including hostname resolution, private-network blocklist, and protection for link-local addresses, when a user sends a chat request with an image URL. An attacker can exploit this by providing a malicious URL instead of a real image link, tricking the server into reaching out to internal resources it should never touch, such as the AWS Instance Metadata Service (IMDS) to steal IAM credentials or Redis on the standard port 6379. This allows the attacker to gain unauthorized access and control over the AI infrastructure, potentially leading to a complete compromise of the cloud account, due to the broad cloud permissions typically associated with AI nodes. If exploited, this vulnerability can have significant business impact and consequences, including the disruption of AI inference across a cluster and unauthorized access to sensitive data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-33626 with a CVSS score of 7.5 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting LMDeploy, a toolkit for serving vision-language and large language models (LLMs), specifically impacting versions v0.12.2 and earlier. The vulnerability arises from the lack of critical security checks, including hostname resolution, private-network blocklist, and protection for link-local addresses, when a user sends a chat request with an image URL. An attacker can exploit this by providing a malicious URL instead of a real image link, tricking the server into reaching out to internal resources it should never touch, such as the AWS Instance Metadata Service (IMDS) to steal IAM credentials or Redis on the standard port 6379. This allows the attacker to gain unauthorized access and control over the AI infrastructure, potentially leading to a complete compromise of the cloud account, due to the broad cloud permissions typically associated with AI nodes. If exploited, this vulnerability can have significant business impact and consequences, including the disruption of AI inference across a cluster and unauthorized access to sensitive data.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update LMDeploy to version v0.12.3 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/cve-2026-33626-lmdeploy-ssrf-ai-inference-hijack/