What Happened
On April 21, 2026, GitHub published a security advisory (GHSA-6w67-hwm5-92mq) for LMDeploy, later assigned CVE-2026-33626 with a CVSS score of 7.5. LMDeploy is an open-source toolkit widely used to compress, deploy, and serve large language models (LLMs). The vulnerability is a Server-Side Request Forgery (SSRF) flaw in the load_image() function in lmdeploy/vl/utils.py, which fetches arbitrary URLs without validating whether the destination is an internal or private IP address.
Cloud security firm Sysdig detected the first exploitation attempt against its honeypot systems 12 hours and 31 minutes after the advisory went public. Attackers used the vision-language image loader as a generic HTTP SSRF primitive, sending 10 requests across three phases in a single eight-minute session. They probed the AWS Instance Metadata Service (IMDS), Redis, MySQL, an administrative HTTP interface, and an out-of-band DNS exfiltration endpoint — exactly the credential and configuration stores you would want to map before a deeper intrusion. LMDeploy version 0.12.3 patches the issue.
Why This Matters for Canadian Organizations
Canada has a growing population of AI development teams, cloud-native SaaS companies, and research institutions running self-hosted LLM inference infrastructure. LMDeploy is popular precisely because it supports efficient deployment of vision-language models on GPU clusters — including in academic and research environments at Canadian universities and government-funded AI labs. Any team running LMDeploy with vision-language model support and internet-accessible endpoints is directly exposed.
The attack pattern observed is consistent with pre-breach reconnaissance: the attacker is not just exploiting the vulnerability, but using it to map what else is accessible from the model server. AWS IMDS access in particular hands an attacker the instance role credentials, which may grant broad access to S3 buckets, other AWS services, or IAM permissions. For Canadian organizations subject to PIPEDA breach notification obligations, a compromised cloud environment triggered by an AI infrastructure flaw is a reportable incident. Organizations using managed AI platforms built on LMDeploy should also verify whether their provider has patched.
What to Do
Upgrade LMDeploy to version 0.12.3 immediately. If you cannot patch right away, restrict network access to LMDeploy’s API endpoints so they are not reachable from the public internet. Audit your cloud environment for any unusual IMDS access, unexpected outbound DNS queries, or lateral movement from your model inference hosts in the April 21–24 window. If your deployment runs on AWS, check CloudTrail for unauthorized credential use tied to your inference instance role.
The Sysdig technical breakdown of the exploitation chain is available at Sysdig Blog. The original advisory and patch details are covered by The Hacker News.
