LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure

Source: The Hacker News

Summary

A high‑severity security flaw in LMDeploy, an open‑source toolkit for compressing, deploying, and serving large language models (LLMs), has been actively exploited in the wild less than 13 hours after its public disclosure.

Vulnerability Details

• CVE Identifier: CVE‑2026‑33626
• CVSS Score: 7.5 (High)
• Type: Server‑Side Request Forgery (SSRF)
• Impact: Allows an attacker to force the vulnerable server to make arbitrary HTTP requests, potentially exposing sensitive data or internal services.

Timeline

• Disclosure: Publicly disclosed on [date of disclosure].
• Exploitation: Reports of active exploitation surfaced within 13 hours of disclosure.

Mitigation

• Update: Apply the latest LMDeploy release that addresses CVE‑2026‑33626.
• Network Controls: Restrict outbound traffic from LMDeploy instances to only trusted endpoints.
• Input Validation: Ensure any user‑controlled URLs are validated and sanitized before being processed.

References

• Official LMDeploy security advisory: [link to advisory]
• CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33626

If you are using LMDeploy, verify that your deployment is running a patched version and review your network egress rules to mitigate potential SSRF attacks.