LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

LMDeploy, an open‑source toolkit for compressing and serving large language models, became the latest victim of a supply‑chain style attack. The CVE‑2026‑33626 SSRF bug resides in the vision‑language module’s `load_image()` function, which fetches arbitrary URLs without filtering private IP ranges. By abusing this endpoint, threat actors can coax the model server into contacting internal services such as the AWS Instance Metadata Service, Redis caches, or MySQL databases, effectively turning the deployment node into a proxy for network reconnaissance.

Sysdig’s detection of the exploit within 12 hours 31 minutes of the GitHub advisory illustrates how quickly adversaries move from disclosure to action. In a single eight‑minute session, the attacker alternated between different VLMs to mask activity, scanned the loopback interface, and exfiltrated data via an out‑of‑band DNS callback. This multi‑phase approach mirrors tactics seen in recent AI‑infrastructure compromises, where attackers leverage detailed advisories as prompts for automated exploit generation. The incident also highlights the value of honeypot telemetry in surfacing zero‑day weaponization before widespread victimization.

The broader implication is a shifting threat model for enterprises adopting generative AI. As model serving stacks become integral to business workflows, any unpatched component can become a foothold for credential theft and lateral movement. Organizations should enforce rapid patch cycles, employ network segmentation to isolate model servers, and monitor outbound traffic for anomalous SSRF patterns. Investing in AI‑specific threat intelligence and integrating security checks into CI/CD pipelines will be essential to stay ahead of attackers who now treat vulnerability disclosures as ready‑made exploit recipes.