LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
Summary
A serious flaw in LMDeploy (an open-source toolkit for deploying language models) called CVE-2026-33626 was exploited by attackers within 13 hours of being made public. The vulnerability is a server-side request forgery (SSRF, a weakness where a server is tricked into making requests to internal systems it shouldn't access) in the image-loading function that fails to block requests to private IP addresses, potentially letting attackers steal cloud credentials and access internal networks.
Solution / Mitigation
The vulnerability affects LMDeploy versions 0.12.0 and prior with vision language support. The source text does not explicitly mention a patched version number, update, or mitigation steps. N/A -- no mitigation discussed in source.
Classification
Affected Vendors
Related Issues
Original source: https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html
First tracked: April 24, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 92%