{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33626", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.617Z", "datePublished": "2026-04-20T20:29:19.558Z", "dateUpdated": "2026-04-21T19:50:13.326Z"}, "containers": {"cna": {"title": "LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq"}, {"name": "https://github.com/InternLM/lmdeploy/pull/4447", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternLM/lmdeploy/pull/4447"}, {"name": "https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626"}, {"name": "https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3"}], "affected": [{"vendor": "InternLM", "product": "lmdeploy", "versions": [{"version": "< 0.12.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:29:19.558Z"}, "descriptions": [{"lang": "en", "value": "LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue."}], "source": {"advisory": "GHSA-6w67-hwm5-92mq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:52:10.383689Z", "id": "CVE-2026-33626", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:50:13.326Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading", "source": {"advisory": "GHSA-6w67-hwm5-92mq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InternLM", "product": "lmdeploy", "versions": [{"status": "affected", "version": "< 0.12.3"}]}], "references": [{"url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq", "name": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternLM/lmdeploy/pull/4447", "name": "https://github.com/InternLM/lmdeploy/pull/4447", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626", "name": "https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3", "name": "https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:29:19.558Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33626", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:52:10.383689Z"}}}], "references": [{"url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-21T17:52:24.672Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33626", "state": "PUBLISHED", "dateUpdated": "2026-04-20T20:29:19.558Z", "dateReserved": "2026-03-23T14:24:11.617Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T20:29:19.558Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue."}], "id": "CVE-2026-33626", "lastModified": "2026-04-21T20:16:56.173", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T21:16:35.097", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626"}, {"source": "security-advisories@github.com", "url": "https://github.com/InternLM/lmdeploy/pull/4447"}, {"source": "security-advisories@github.com", "url": "https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.12.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "lmdeploy", "source": "cna", "vendor": "InternLM"}, "product": "lmdeploy", "vendor": "internlm"}], "analysis": {"en": {"generated_at": "2026-04-21T15:43:17.300261+00:00", "value": {"mitigation_remediation": ["Upgrade LMDeploy to version 0.12.3 or later to apply the official fix.", "Configure network controls to restrict LMDeploy\u2019s outbound traffic, ensuring it cannot access internal or cloud metadata endpoints.", "If an immediate upgrade is not possible, restrict image URL sources by implementing a whitelist or proxy that blocks untrusted external requests."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "The flaw affects InternLM\u2019s LMDeploy, specifically all releases preceding version 0.12.3. The patch begins with release 0.12.3, which removes the unchecked URL fetch from load_image().", "description_and_impact": "LMDeploy\u2019s vision\u2011language module contains an SSRF flaw in the load_image() function. The function fetches URLs supplied by users without validating that they target public or safe addresses, permitting an attacker to retrieve arbitrary data from internal or private networks, including cloud metadata services. The vulnerability corresponds to CWE\u2011918 and could enable attackers to exfiltrate sensitive information or gain additional footholds within a protected environment.", "risk_and_exploitability": "With a CVSS score of 7.5 the flaw is considered high severity. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely by directing malicious image URLs to LMDeploy. An attacker only needs to supply an unvalidated URL to the load_image routine, which will then resolve and fetch the resource, potentially exposing internal addresses or data. No authentication is required, and the issue can be triggered from any input surface that passes through the load_image function."}}}}, "created": "2026-04-20T22:30:19.704384+00:00", "updated": "2026-04-21T15:45:07.487154+00:00", "vendors": ["internlm", "internlm$PRODUCT$lmdeploy"]}