Back to Intelligence

CVE-2026-33626: LMDeploy SSRF Exploited in the Wild – Detection and Remediation Guide

SA
Security Arsenal Team
April 24, 2026
6 min read

Introduction

A critical security vulnerability has been confirmed in LMDeploy, an open-source toolkit widely used for the compression, deployment, and serving of Large Language Models (LLMs). Tracked as CVE-2026-33626, this Server-Side Request Forgery (SSRF) flaw carries a CVSS score of 7.5 (High) and represents a significant risk to organizations utilizing AI infrastructure.

What sets this vulnerability apart is the speed of weaponization: active exploitation in the wild began less than 13 hours after public disclosure. For defenders, this leaves virtually no window for complacency. In environments where LLMs are increasingly integrated into business-critical workflows, an SSRF vulnerability allows attackers to pivot from the exposed inference endpoint to the internal network, potentially accessing cloud metadata services, sensitive internal APIs, or data stores.

Technical Analysis

Affected Product: LMDeploy (Open-source LLM serving toolkit) CVE Identifier: CVE-2026-33626 CVSS Score: 7.5 (High) Attack Vector: Network (Adjacent) Vulnerability Type: Server-Side Request Forgery (SSRF)

Vulnerability Mechanics

LMDeploy is designed to facilitate the deployment of massive models on various hardware backends. The vulnerability arises from insufficient validation of user-supplied input used in HTTP requests initiated by the server. Specifically, the application accepts a URL parameter from an unauthenticated or authenticated user and utilizes the server's underlying HTTP client to fetch that resource.

Because the request originates from the server itself—typically running in a cloud environment or on a internal network with high trust—standard perimeter firewalls do not block the traffic. An attacker can craft malicious payloads targeting:

  1. Cloud Instance Metadata Services (IMDS): Accessing http://169.254.169.254/latest/meta-data/ to steal IAM credentials, allowing lateral movement to other cloud resources.
  2. Internal Network Scanning: Probing internal ports (e.g., Redis, MySQL, Kubernetes API) that are not exposed to the public internet.
  3. Local File Access (Potential): Depending on the schema support (e.g., file://), this could lead to Local File Inclusion (LFI).

Exploitation Status

CONFIRMED ACTIVE EXPLOITATION. Threat actors are actively scanning for exposed LMDeploy endpoints and exploiting the SSRF flaw to access sensitive data immediately after the PoC (Proof of Concept) was made public.

Detection & Response

Given the active exploitation status, security teams must assume compromise and hunt for indicators of SSRF activity. The following detection rules focus on the behavioral hallmark of this attack: the LMDeploy process (usually Python-based) initiating outbound connections to sensitive internal IP ranges or the metadata service.

SIGMA Rules

YAML
---
title: LMDeploy SSRF - Metadata Service Access
id: 8a2f1c82-9e4b-4d67-bc12-3e5a8f901235
status: experimental
description: Detects LMDeploy or Python processes attempting to access the Cloud Instance Metadata Service (169.254.169.254), a common objective in SSRF attacks.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-33626
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
  - attack.execution
  - attack.t1059.009
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationIp|startswith: '169.254.169.254'
    Image|endswith:
      - '/python'
      - '/python3'
      - '/lmdeploy'
  condition: selection
falsepositives:
  - Legitimate cloud instance initialization or health checks by the application
level: critical
---
title: LMDeploy SSRF - Internal Network Scanning
id: 9b3g2d93-0f5c-5e78-cd23-4f6b9g0a1245
status: experimental
description: Detects LMDeploy processes connecting to non-standard internal private IP ranges, indicative of network scanning via SSRF.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-33626
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.discovery
  - attack.t1018
logsource:
  category: network_connection
  product: linux
detection:
  selection:
    DestinationIp|cidr:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
    Image|endswith:
      - '/python'
      - '/python3'
  filter:
    DestinationPort|startswith:
      - 80
      - 443
      - 8000
      - 8080
  condition: selection and not filter
falsepositives:
  - Legitimate internal API calls by the LLM application to known backend services
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for LMDeploy or Python processes accessing Instance Metadata Service
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("python", "python3", "uwsgi", "gunicorn")
| where RemoteUrl has "169.254.169.254" or RemoteIP has "169.254.169.254"
| project Timestamp, DeviceName, InitiatingProcessCommandLine, RemoteIP, RemotePort, InitiatingProcessAccountName
| extend Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss')

Velociraptor VQL

VQL — Velociraptor
-- Hunt for processes connecting to the Link-Local Metadata Address
SELECT Pid, Name, CommandLine, Exe, Username, RemoteAddr, RemotePort, State
FROM netstat()
WHERE RemoteAddr = '169.254.169.254'
   AND (Name =~ 'python' OR Name =~ 'python3' OR Name =~ 'lmdeploy')

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation Script for CVE-2026-33626
# 1. Identifies LMDeploy installations
# 2. Checks for vulnerable versions (Hypothetical check < v0.6.0)
# 3. Applies immediate firewall mitigation to block metadata access

echo "[*] Checking for LMDeploy processes..."
LMDEPLOY_PIDS=$(pgrep -f "lmdeploy" || true)

if [ -n "$LMDEPLOY_PIDS" ]; then
    echo "[!] LMDeploy is running. PIDs: $LMDEPLOY_PIDS"
else
    echo "[+] No LMDeploy processes found currently."
fi

echo "[*] Checking installed version via pip..."
# Note: pip show location varies, checking common site-packages or venvs
pip show lmdeploy 2>/dev/null || echo "[!] Could not determine version via pip. Check manually."

echo "[*] Applying immediate mitigation: Blocking traffic to Metadata Service (169.254.169.254)..."
# Check if iptables rule exists
if ! iptables -C OUTPUT -d 169.254.169.254 -j DROP &>/dev/null; then
    iptables -A OUTPUT -d 169.254.169.254 -j DROP
    echo "[+] Firewall rule applied to block 169.254.169.254."
else
    echo "[+] Firewall rule already exists."
fi

echo "[*] ACTION REQUIRED: Please update LMDeploy to the latest patched version immediately."
echo "[*] Vendor Advisory: https://github.com/InternLM/lmdeploy/security/advisories"

Remediation

To address CVE-2026-33626 effectively, organizations must take a layered approach:

  1. Patch Immediately: Update LMDeploy to the latest version released by the vendor. If the specific patched version is not yet available in your package manager, pull the latest commit from the official repository master branch.
  2. Network Segmentation (Egress Filtering): As demonstrated in the script above, block outbound traffic from the LLM inference server to the cloud instance metadata service (169.254.169.254) and restrict access to non-essential internal IP ranges.
  3. Enforce IMDSv2: If running on AWS, Azure, or GCP, enforce Instance Metadata Service Version 2 (IMDSv2), which requires session-oriented requests, making simple SSRF exploits significantly harder.
  4. Input Validation: Review the LMDeploy configuration (if applicable) to ensure it is not exposed directly to the public internet without an authentication proxy or Web Application Firewall (WAF) that can detect SSRF payloads.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurelmdeploycve-2026-33626ssrf

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action