Server-Side Request Forgery Vulnerability in LMDeploy by InternLM
CVE-2026-33626

7.5HIGH

Key Information:

Vendor: Internlm
Status: Lmdeploy
Vendor: CVE Published:; 20 April 2026

Badges

📈 Score: 342👾 Exploit Exists📰 News Worthy

What is CVE-2026-33626?

CVE-2026-33626 is a security vulnerability found in LMDeploy, a toolkit designed to facilitate the compression, deployment, and serving of large language models. This specific vulnerability pertains to a Server-Side Request Forgery (SSRF) flaw present in versions prior to 0.12.3 of LMDeploy, particularly within its vision-language module. The issue arises from the functionality of the load_image() method, which can retrieve arbitrary URLs without proper validation of internal or private IP addresses. This oversight can be exploited by attackers, granting them unauthorized access to cloud metadata services, internal networks, and other sensitive resources, thereby compromising the security architecture of the organization utilizing LMDeploy.

Potential impact of CVE-2026-33626

Unauthorized Access to Sensitive Information: The SSRF vulnerability can enable attackers to query sensitive resources or internal services that they would otherwise not be able to access, leading to the potential leakage of confidential data and cloud service information.
Internal Network Compromise: By exploiting this vulnerability, an attacker could target internal applications or services, which may result in broader network compromises, thereby affecting the integrity and confidentiality of surrounding systems.
Increased Risk of Malware Deployment: The vulnerability opens the door for attackers to plant malicious payloads or conduct further attacks on internal systems through the exploitation of this SSRF flaw, which could lead to significant disruptions or data loss within an organization.