High severity7.5NVD Advisory· Published Apr 20, 2026· Updated Apr 23, 2026
CVE-2026-33626
CVE-2026-33626
Description
LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lmdeployPyPI | <= 0.12.2 | — |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626nvdPatchWEB
- github.com/InternLM/lmdeploy/pull/4447nvdIssue TrackingPatchWEB
- github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mqnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-6w67-hwm5-92mqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33626ghsaADVISORY
- github.com/InternLM/lmdeploy/releases/tag/v0.12.3nvdRelease NotesWEB
News mentions
4- AI Threat Landscape Digest March-April 2026Check Point Research · May 26, 2026
- ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking & MoreThe Hacker News · Apr 27, 2026
- 27th April – Threat Intelligence ReportCheck Point Research · Apr 27, 2026
- LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of DisclosureThe Hacker News · Apr 24, 2026