CVE-2026-33626: Internlm Lmdeploy SSRF Vulnerability

CVE-2026-33626 Overview

CVE-2026-33626 is a Server-Side Request Forgery (SSRF) vulnerability affecting LMDeploy, a toolkit for compressing, deploying, and serving large language models. The vulnerability exists in the vision-language module where the load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal or private IP addresses. This allows attackers to access cloud metadata services, internal networks, and other sensitive resources that should not be externally accessible.

Critical Impact
Attackers can exploit this SSRF vulnerability to access internal cloud metadata services, potentially compromising cloud credentials, accessing internal network resources, and exfiltrating sensitive data from systems that are not meant to be publicly accessible.

Affected Products

LMDeploy versions prior to 0.12.3
InternLM LMDeploy vision-language module
Systems running LMDeploy with vision-language features enabled

Discovery Timeline

2026-04-20 - CVE-2026-33626 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-33626

Vulnerability Analysis

This SSRF vulnerability stems from insufficient URL validation in LMDeploy's vision-language processing pipeline. When processing image URLs for vision-language model operations, the load_image() function in lmdeploy/vl/utils.py accepts and fetches arbitrary URLs without implementing proper safeguards against internal network access. An attacker can supply specially crafted URLs pointing to internal IP addresses, localhost, or cloud metadata endpoints (such as http://169.254.169.254/ on AWS) to access resources that should be restricted to internal network traffic only.

The vulnerability is particularly dangerous in cloud-deployed LMDeploy instances where attackers could potentially retrieve cloud provider metadata containing temporary credentials, instance configuration details, and other sensitive information that could lead to broader infrastructure compromise.

Root Cause

The root cause of this vulnerability is the absence of URL validation and IP address filtering in the load_image() function. The function directly processes user-supplied URLs without:

Validating the URL scheme (allowing file://, gopher://, and other dangerous protocols)
Checking if the resolved IP address belongs to private or internal ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x, 127.x.x.x)
Blocking access to cloud metadata endpoints
Implementing allow-list based URL filtering

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can exploit this vulnerability by submitting malicious image URLs to any LMDeploy endpoint that processes vision-language requests. The server will attempt to fetch the resource at the specified URL, effectively making requests on behalf of the attacker from inside the target network.

The security patch addresses multiple issues including safer type resolution. Below is an example from the actual fix:

python

            torch_dtype = torch_dtype if torch_dtype in ['float16', 'bfloat16'] else 'float16'
        else:
            torch_dtype = dtype

    resolved_dtype = getattr(torch, torch_dtype, None)
    if not isinstance(resolved_dtype, torch.dtype):
        raise ValueError(f'Invalid torch dtype "{torch_dtype}" resolved from model config; '
                         'expected a torch.dtype attribute on torch.')
    config.dtype = resolved_dtype

    return config

Source: GitHub Commit Details

The fix replaces an unsafe eval() call with safer getattr() usage and includes explicit type validation to prevent arbitrary code execution through malicious dtype strings.

Detection Methods for CVE-2026-33626

Indicators of Compromise

Unusual outbound requests from LMDeploy instances to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8)
HTTP requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.) from vision-language processing services
Log entries showing image URL processing with file://, gopher://, or dict:// protocol schemes
Unexpected network connections from LMDeploy containers to internal services

Detection Strategies

Implement network monitoring to detect outbound requests from LMDeploy instances to RFC 1918 private IP ranges and cloud metadata services
Configure web application firewalls to inspect and log all image URL parameters submitted to vision-language endpoints
Enable detailed logging for the lmdeploy/vl/utils.py module to capture all URL fetch attempts
Deploy intrusion detection signatures that alert on SSRF patterns targeting cloud metadata endpoints

Monitoring Recommendations

Monitor network egress from LMDeploy deployments for connections to internal services that should not be accessed
Implement alerting for any requests to cloud provider metadata IP addresses from application containers
Review LMDeploy access logs for suspicious image URLs containing internal IP addresses or localhost references
Track LMDeploy version deployments across your infrastructure to ensure all instances are updated

How to Mitigate CVE-2026-33626

Immediate Actions Required

Upgrade LMDeploy to version 0.12.3 or later immediately
Audit existing deployments to identify any instances running vulnerable versions prior to 0.12.3
Review network logs for evidence of SSRF exploitation attempts against LMDeploy services
Implement network segmentation to limit the blast radius if exploitation has occurred

Patch Information

The vulnerability has been patched in LMDeploy version 0.12.3. The fix implements proper URL validation and IP address filtering to prevent SSRF attacks. Organizations should update to the patched version immediately by following the vendor's upgrade instructions.

For detailed patch information, refer to:

Workarounds

Deploy network-level controls to block outbound connections from LMDeploy instances to internal IP ranges and cloud metadata services
Implement a reverse proxy or web application firewall that validates and filters image URLs before they reach LMDeploy
Use network segmentation to isolate LMDeploy services from sensitive internal resources
Configure cloud provider instance metadata service to require IMDSv2 with session tokens to mitigate SSRF-based credential theft

bash

# Example: Block metadata endpoint access using iptables
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.169.253 -j DROP

# Upgrade LMDeploy to patched version
pip install --upgrade lmdeploy>=0.12.3

CVE-2026-33626 Overview

Critical Impact
Attackers can exploit this SSRF vulnerability to access internal cloud metadata services, potentially compromising cloud credentials, accessing internal network resources, and exfiltrating sensitive data from systems that are not meant to be publicly accessible.

Affected Products

LMDeploy versions prior to 0.12.3
InternLM LMDeploy vision-language module
Systems running LMDeploy with vision-language features enabled

Discovery Timeline

2026-04-20 - CVE-2026-33626 published to NVD
2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-33626

Vulnerability Analysis

Root Cause

The root cause of this vulnerability is the absence of URL validation and IP address filtering in the load_image() function. The function directly processes user-supplied URLs without:

Validating the URL scheme (allowing file://, gopher://, and other dangerous protocols)
Checking if the resolved IP address belongs to private or internal ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x, 127.x.x.x)
Blocking access to cloud metadata endpoints
Implementing allow-list based URL filtering

Attack Vector

The security patch addresses multiple issues including safer type resolution. Below is an example from the actual fix:

python

            torch_dtype = torch_dtype if torch_dtype in ['float16', 'bfloat16'] else 'float16'
        else:
            torch_dtype = dtype

    resolved_dtype = getattr(torch, torch_dtype, None)
    if not isinstance(resolved_dtype, torch.dtype):
        raise ValueError(f'Invalid torch dtype "{torch_dtype}" resolved from model config; '
                         'expected a torch.dtype attribute on torch.')
    config.dtype = resolved_dtype

    return config

Source: GitHub Commit Details

The fix replaces an unsafe eval() call with safer getattr() usage and includes explicit type validation to prevent arbitrary code execution through malicious dtype strings.

Detection Methods for CVE-2026-33626

Indicators of Compromise

Unusual outbound requests from LMDeploy instances to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8)
HTTP requests to cloud metadata endpoints (169.254.169.254, metadata.google.internal, etc.) from vision-language processing services
Log entries showing image URL processing with file://, gopher://, or dict:// protocol schemes
Unexpected network connections from LMDeploy containers to internal services

Detection Strategies

Implement network monitoring to detect outbound requests from LMDeploy instances to RFC 1918 private IP ranges and cloud metadata services
Configure web application firewalls to inspect and log all image URL parameters submitted to vision-language endpoints
Enable detailed logging for the lmdeploy/vl/utils.py module to capture all URL fetch attempts
Deploy intrusion detection signatures that alert on SSRF patterns targeting cloud metadata endpoints

Monitoring Recommendations

Monitor network egress from LMDeploy deployments for connections to internal services that should not be accessed
Implement alerting for any requests to cloud provider metadata IP addresses from application containers
Review LMDeploy access logs for suspicious image URLs containing internal IP addresses or localhost references
Track LMDeploy version deployments across your infrastructure to ensure all instances are updated

How to Mitigate CVE-2026-33626

Immediate Actions Required

Upgrade LMDeploy to version 0.12.3 or later immediately
Audit existing deployments to identify any instances running vulnerable versions prior to 0.12.3
Review network logs for evidence of SSRF exploitation attempts against LMDeploy services
Implement network segmentation to limit the blast radius if exploitation has occurred

Patch Information

For detailed patch information, refer to:

Workarounds

Deploy network-level controls to block outbound connections from LMDeploy instances to internal IP ranges and cloud metadata services
Implement a reverse proxy or web application firewall that validates and filters image URLs before they reach LMDeploy
Use network segmentation to isolate LMDeploy services from sensitive internal resources
Configure cloud provider instance metadata service to require IMDSv2 with session tokens to mitigate SSRF-based credential theft

bash

# Example: Block metadata endpoint access using iptables
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.169.253 -j DROP

# Upgrade LMDeploy to patched version
pip install --upgrade lmdeploy>=0.12.3

CVE-2026-33626: Internlm Lmdeploy SSRF Vulnerability

CVE-2026-33626 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33626

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33626

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33626

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33626: Internlm Lmdeploy SSRF Vulnerability

CVE-2026-33626 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33626

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33626

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33626

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform