Summary
LMDeploy's vision-language module contains a high-severity SSRF vulnerability (CVE-2026-33626) that attackers exploited within 13 hours to scan internal networks and target cloud metadata. The flaw allows unauthenticated users to bypass network restrictions by providing malicious image URLs to the inference server.
Take Action:
If you're running LMDeploy, immediately update to version 0.12.3 or later to patch the SSRF vulnerability (CVE-2026-33626). Also, enforce IMDSv2 with required session tokens on your cloud instances and restrict outbound network traffic from inference servers to block credential theft and internal scanning.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)