LIVE THREATS
MEDIUM Python package 'llm-openai-via-codex 0.1a0' hijacks Codex CLI // CRITICAL LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure // HIGH Show HN: Browser Harness – Gives LLM freedom to complete any browser task // CRITICAL Paloalto's Zealot successfully attacks misconfigured cloud environments // HIGH Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign // HIGH Bad Memories Still Haunt AI Agents // CRITICAL ChatGPT's code runtime silently exfiltrates user data via malicious prompt // HIGH Claude's Mythos rival: Chinese Cybersecurity Firm claims finding 1000 vulnerabilities // CRITICAL Vertex AI agents can be weaponized to steal GCP service credentials // CRITICAL Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them? //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required LLM Security Supply Chain Industry News RELEVANCE ▲ 9.2

LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

SOURCE The Hacker News ↗
TL;DR CRITICAL
  • What happened: LMDeploy SSRF flaw exploited within 13 hours, enabling cloud credential theft and internal network reconnaissance.
  • Who's at risk: Any organisation deploying LMDeploy v0.12.0 or earlier with vision-language support in cloud or hybrid environments is directly exposed to credential theft and lateral movement.
  • Act now: Patch or upgrade LMDeploy immediately beyond v0.12.0 and disable vision-language modules if unused · Block outbound SSRF vectors by restricting model server egress and blocking access to IMDS endpoints (169.254.169.254) · Audit logs for requests to load_image() containing internal IP ranges, metadata service URLs, or OOB DNS callbacks
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

Overview

A high-severity Server-Side Request Forgery (SSRF) vulnerability in LMDeploy — a widely used open-source toolkit for compressing, deploying, and serving large language models — was exploited in the wild within 12 hours and 31 minutes of its public disclosure on GitHub. Tracked as CVE-2026-33626 (CVSS 7.5), the flaw resides in the toolkit’s vision-language module and allows unauthenticated attackers to weaponise the model server as an HTTP proxy to reach internal cloud infrastructure, credentials stores, and private services. The speed of exploitation, with no public PoC available at the time, signals that AI inference infrastructure has become a primary target class for opportunistic threat actors.

Technical Analysis

The vulnerability exists in the load_image() function located at lmdeploy/vl/utils.py. The function fetches arbitrary URLs supplied as image inputs to vision-language models (VLMs) without validating whether the target resolves to private or internal IP address ranges. This classic SSRF pattern becomes particularly dangerous in cloud-deployed contexts where the AWS Instance Metadata Service (IMDS) at 169.254.169.254 exposes IAM role credentials without authentication.

Sysdig’s honeypot telemetry documented a structured eight-minute attack session originating from 103.116.72[.]119, consisting of 10 discrete requests across three phases:

  1. Credential harvesting phase — Requests targeting AWS IMDS and Redis instances to extract cloud IAM tokens and cached secrets.
  2. Egress validation phase — Out-of-band DNS callback to requestrepo[.]com to confirm external SSRF reachability and enumerate the API surface.
  3. Internal port scanning phase — Loopback (127.0.0.1) scanning to map exposed administrative interfaces.

Notably, the attacker rotated between two VLMs — internlm-xcomposer2 and OpenGVLab/InternVL2-8B — across requests, likely as a rudimentary evasion technique to reduce per-model anomaly scoring. All versions of LMDeploy up to and including v0.12.0 with vision-language support are affected.

Framework Mapping

  • AML.T0040 (ML Model Inference API Access): The attacker directly abused the public inference API endpoint as the SSRF delivery mechanism.
  • AML.T0047 (ML-Enabled Product or Service): The vulnerability is inherent to the LLM serving product, making all downstream deployments an attack surface.
  • AML.T0057 (LLM Data Leakage): Successful IMDS exploitation would yield cloud credentials, constituting sensitive data exfiltration via the model pipeline.
  • LLM06 (Sensitive Information Disclosure): Cloud credentials and internal service responses are directly disclosed through the vulnerable image loader.
  • LLM07 (Insecure Plugin Design): The vision-language image fetching module functions as an insecure plugin with unvalidated external connectivity.

Impact Assessment

Organisations running LMDeploy in cloud environments face the most acute risk: successful IMDS exploitation yields IAM role credentials enabling full account compromise. Secondary risks include lateral movement to databases (Redis, MySQL) and administrative interfaces reachable only from the model server’s network position. The attack does not require authentication or a PoC, lowering the skill threshold for exploitation significantly.

Mitigation & Recommendations

  1. Upgrade immediately to a patched version of LMDeploy beyond v0.12.0. If unavailable, disable vision-language model support at the configuration level.
  2. Block IMDS access from model server processes using instance-level IMDSv2 enforcement or firewall rules blocking 169.254.169.254.
  3. Restrict egress from inference servers to allowlisted external destinations only; deny outbound DNS and HTTP to arbitrary hosts.
  4. Monitor load_image() call patterns for internal IP ranges, metadata service URLs, and unexpected DNS resolution events.
  5. Rotate cloud credentials if LMDeploy was internet-exposed at any point since April 22, 2026.

References