SSRF in LMDeploy vision-language image loader
CVE-2026-33626 is a Server-Side Request Forgery vulnerability in LMDeploy, a toolkit for compressing, deploying, and serving large language models. The flaw affects versions prior to 0.12.3 in the vision-language module, specifically the load_image() function in lmdeploy/vl/utils.py. LMDeploy dereferences user-supplied image_url values in chat completion or vision-language requests and fetches the referenced resource server-side without sufficient validation of the destination. According to the provided content, affected versions do not adequately block loopback, link-local, RFC1918/private, or other internal addresses, and lack hostname resolution checks and private-network filtering. This allows an attacker to supply crafted URLs that cause the LMDeploy server to issue requests to arbitrary internal or external resources, including cloud metadata endpoints and localhost services.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
httpTokens=required and httpPutResponseHopLimit=1 to reduce metadata theft risk. Rotate IAM or other credentials associated with publicly reachable vulnerable LMDeploy instances, especially if exposure to metadata services is possible. Monitor inference processes for outbound connections to metadata endpoints, loopback addresses, and private-network ranges, and alert on anomalous requests originating from LMDeploy. Limit public exposure of LMDeploy instances where feasible.Remediation
Patch, then assume compromise.
_is_safe_url() check. Any deployment running 0.12.2 or earlier should be treated as vulnerable and updated promptly.Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a local Docker-based SSRF lab for CVE-2026-33626 affecting InternLM LMDeploy vision-language image loading. It is a real proof-of-concept repository, not just documentation. The core exploit capability is to supply an attacker-controlled URL to a FastAPI wrapper endpoint (/probe), which then calls lmdeploy.vl.load_image(url). In the vulnerable build (LMDeploy 0.12.0), this causes a server-side fetch of internal/private resources, demonstrating SSRF. In the patched build (LMDeploy 0.12.3), the same request is rejected with a security error. Repository structure: docker-compose.yml orchestrates three services: vuln, patched, and internal. The vuln/Dockerfile and patched/Dockerfile each build a minimal FastAPI/uvicorn wrapper around LMDeploy and expose endpoints /, /version, and /probe. The internal/server.py file implements a simple HTTP canary service on port 9000 that serves /private.png and records requests in memory, exposing /hits and /reset for verification. The poc/poc.py script is the main operator entry point; it resets the canary, probes both vulnerable and patched services, and compares whether the internal service was contacted. Exploit flow: poc/poc.py sends a GET request to /probe?url=<encoded target> on the vulnerable service. The vulnerable wrapper passes the supplied URL into lmdeploy.vl.load_image(), which fetches and decodes the remote image. Success is confirmed when the internal canary logs a hit to /private.png. The same flow against the patched service should fail before any internal request occurs. This is an operational SSRF PoC with a fixed, benign payload URL rather than a customizable post-exploitation payload. It demonstrates internal network reachability and server-side URL fetching, but does not include RCE, persistence, credential theft, or lateral movement logic.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
51 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An SSRF vulnerability in LMDeploy that was exploited extremely rapidly after disclosure, illustrating AI-compressed time-to-exploitation.
A specific vulnerability identified as CVE-2026-33626 affecting LMDeploy; the post context indicates it is being discussed as an SSRF-related exploit shortly after disclosure.
An SSRF vulnerability in LMDeploy's vision-language image loader that allows attacker-supplied image_url values to trigger server-side requests to internal, loopback, link-local, and external hosts, enabling metadata access, internal service probing, and reconnaissance.
Unknown
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.