High-severity LMDeploy SSRF flaw (CVE-2026-33626) actively exploited

A high-severity Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-33626, in LMDeploy's vision-language module is under active exploitation. The flaw allows attackers to access sensitive data, internal networks, and cloud metadata services. Exploitation was detected less than 13 hours after public disclosure, affecting all versions of the toolkit (0.12.0 and prior) with vision language support.

Context

LMDeploy is a toolkit used for vision-language tasks, and the identified SSRF vulnerability affects all versions prior to 0.12.0. SSRF vulnerabilities can allow attackers to manipulate server requests, leading to exposure of internal resources. The flaw was publicly disclosed and exploited within hours, indicating a high level of threat to users.

Why it matters

The CVE-2026-33626 vulnerability poses a significant risk to organizations using LMDeploy, as it enables unauthorized access to sensitive data and internal systems. The rapid exploitation of this flaw highlights the urgency for users to address security measures. Protecting against such vulnerabilities is critical to maintaining data integrity and safeguarding against potential breaches.

Implications

If left unaddressed, this vulnerability could lead to significant data breaches, impacting organizations' operational security and customer trust. Companies may face regulatory scrutiny and financial repercussions due to compromised data. Users of LMDeploy, especially those handling sensitive information, are particularly at risk.

What to watch

Organizations utilizing LMDeploy should prioritize updating to version 0.12.0 or later to mitigate risks associated with this vulnerability. Monitoring for unusual network activity or data access attempts is essential in the wake of this exploitation. Security patches and updates from the developers will be crucial in the coming days.