CVE-2026-33626NVD

Vulnerability Summary

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

Severity Level

HIGH(7.5)

Published Date

Apr 20, 2026

Last Modified

Apr 23, 2026

Exploitation Status

????

EPSS Score (30-Day)

8.70%Probability

Root Weakness (CWE)

CWE-918: Unknown/Unlisted Weakness ↗

Refer to the official MITRE database for detailed architectural specifications regarding this weakness.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityNone

AvailabilityNone

External References

https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626
https://github.com/InternLM/lmdeploy/pull/4447
https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2026-33626NVD

Vulnerability Summary

External References