Active Exploitation of LMDeploy SSRF (CVE‑2026‑33626) Threatens LLM Deployment Pipelines
What It Is — LMDeploy is an open‑source toolkit used to compress, package, and serve large language models (LLMs). CVE‑2026‑33626 is a Server‑Side Request Forgery (SSRF) flaw that allows an attacker to coerce the LMDeploy service into making arbitrary HTTP requests on its behalf, potentially exposing internal services, credentials, or metadata.
Exploitability — The vulnerability was weaponised in the wild less than 13 hours after its public disclosure. Proof‑of‑concept code and exploit scripts are circulating on underground forums. CVSS v3.1 base score 7.5 (High).
Affected Products — LMDeploy (all versions prior to the emergency patch released by the maintainers). The toolkit is embedded in many AI‑as‑a‑Service platforms, custom on‑premise LLM pipelines, and third‑party SaaS offerings that rely on the open‑source library.
TPRM Impact — Organizations that outsource LLM model serving or integrate LMDeploy into their supply chain now face a direct attack surface. An exploited SSRF can be used to pivot into internal APIs, exfiltrate proprietary model data, or disrupt AI‑driven services, creating downstream risk for customers and partners.
Recommended Actions —
- Apply the upstream patch for CVE‑2026‑33626 immediately; if unavailable, block the vulnerable version.
- Enforce strict egress filtering on any host running LMDeploy to limit outbound HTTP requests to trusted endpoints only.
- Conduct a rapid inventory of all third‑party services and internal applications that embed LMDeploy and verify they are patched.
- Monitor network traffic and LMDeploy logs for anomalous outbound requests or connections to internal IP ranges.
- Update third‑party risk registers to reflect the new supply‑chain exposure and communicate the issue to affected vendors.
Source: The Hacker News