CVE-2026-33626

Name of the Vulnerable Software and Affected Versions LMDeploy versions prior to 0.12.3

Description A Server-Side Request Forgery (SSRF) issue exists in the vision-language module of LMDeploy, a toolkit for compressing, deploying, and serving large language models. The load image() and encode image base64() functions in lmdeploy/vl/utils.py fetch arbitrary URLs without validating hostname resolutions or blocking internal and private IP addresses. This allows attackers to use the image loader as an HTTP probe to access sensitive resources, including the AWS Instance Metadata Service (IMDS), Redis, MySQL databases, and internal administrative interfaces. Real-world exploitation was observed shortly after disclosure, where attackers targeted GPU inference nodes to harvest cloud credentials via IMDS, potentially leading to the compromise of cloud accounts, S3 model artifacts, and training datasets. The issue can be triggered via the '/v1/chat/completions' endpoint by providing a malicious URL in the image url parameter.

Recommendations Update LMDeploy to version 0.12.3. As a temporary workaround, block outbound HTTP traffic from GPU inference nodes at the network layer. Enforce IMDSv2 with a hop limit of 1 across all GPU fleets. Audit and restrict IAM roles attached to GPU inference instances to the minimum required S3 buckets and remove cross-account assume-role permissions unless explicitly required.