LMDeploy SSRF Flaw CVE-2026-33626 Exploited 13 Hours After Disclosure

Executive Summary

A high-severity Server-Side Request Forgery (SSRF) vulnerability in LMDeploy — an open-source toolkit for compressing, deploying, and serving large language models (LLMs) — has been actively exploited in the wild less than 13 hours after its public disclosure, according to a report from The Hacker News. Tracked as CVE-2026-33626 (CVSS score: 7.5), the flaw allows an unauthenticated attacker to craft requests that trick the LMDeploy server into making internal network calls, potentially exposing sensitive data or internal services. The speed of exploitation — within half a day of disclosure — underscores the aggressive targeting of LLM infrastructure components and the compressed window defenders have to react.

Technical Analysis

CVE-2026-33626 resides in LMDeploy's request-handling logic, specifically in how the server processes user-supplied URLs or resource paths. The vulnerability is classified as a Server-Side Request Forgery (SSRF), which enables an attacker to send crafted requests that the LMDeploy server executes against internal network resources. According to the disclosure, the flaw does not require authentication, lowering the barrier for exploitation.

LMDeploy is widely used in AI/ML pipelines to optimize and serve LLMs such as LLaMA, Qwen, and other transformer-based models. It is commonly deployed in research environments, cloud-hosted inference endpoints, and enterprise AI infrastructure. The SSRF vector could allow an attacker to probe internal cloud metadata endpoints (e.g., AWS 169.254.169.254), access internal databases, or pivot to other services on the same network segment.

The exploit was observed in the wild within 13 hours of the vulnerability's public disclosure, per The Hacker News. This rapid weaponization aligns with a broader trend of attackers scanning for and exploiting newly disclosed flaws in AI/ML tooling, as seen in recent incidents involving Cohere AI Terrarium and other LLM-serving platforms. The specific exploit payloads or infrastructure used by the attackers have not been publicly detailed as of this writing.

Mitigations & Recommendations

Defenders running LMDeploy instances should prioritize the following actions:

1. Apply the patch immediately. The LMDeploy maintainers have released a fix addressing CVE-2026-33626. Verify your deployment version against the patched release and update without delay.
2. Restrict outbound network access. Configure firewall rules or network policies to block LMDeploy servers from making outbound connections to internal metadata endpoints and arbitrary external hosts. This limits the blast radius of SSRF exploitation.
3. Segment LLM infrastructure. Place LMDeploy and other LLM-serving components in isolated network segments with strict egress controls. Avoid co-locating sensitive internal services (databases, secret stores) on the same subnet.
4. Monitor for anomalous outbound requests. Enable logging on LMDeploy servers and monitor for requests to unusual IP addresses, especially cloud metadata IPs (e.g., 169.254.169.254) or internal RFC 1918 ranges.
5. Validate input sanitization. Review any custom integrations or configurations that pass user-supplied URLs or file paths to LMDeploy. Ensure input validation is enforced at the application layer.

Given the observed exploitation timeline, waiting even 24 hours to patch may be too late. Organizations should treat this as an active threat and escalate remediation priority.