LMDeploy SSRF Zero-Day Under Active Exploitation: AI Infrastructure Supply Chain Under Attack

Critical LMDeploy Vulnerability Under Active Exploitation

A high-severity Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, an open-source toolkit for compressing, deploying, and serving Large Language Models, has come under active exploitation in the wild less than 13 hours after its public disclosure. This represents a significant threat to the expanding AI infrastructure supply chain, where developers and organizations are increasingly relying on third-party tools to deploy and manage LLM workloads.

The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data. The speed of exploitation following disclosure highlights the critical risk this flaw poses to organizations running affected versions of LMDeploy in production environments.

Technical Details of the Vulnerability

The SSRF flaw exists within LMDeploy's vision-language module and stems from improper validation of network requests. According to an advisory published by the project maintainers, the load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. This is a classic SSRF attack pattern where an attacker can trick the server into making requests to internal or restricted network locations.

The technical impact is particularly severe in cloud environments where metadata services (such as AWS EC2 Instance Metadata Service or Google Cloud Metadata Service) contain sensitive credentials, API keys, and deployment configurations. An attacker exploiting this vulnerability can retrieve these credentials by crafting a request that directs the vulnerable load_image() function to fetch from internal metadata endpoints.

Affected Scope and Versions

The shortcoming affects all versions of the toolkit (0.12.0 and prior) with vision language support. This broad version range means that many organizations deploying LMDeploy for vision-language tasks are potentially vulnerable unless they've already patched. Given that LMDeploy is widely used in the AI/ML community for efficient LLM deployment, the number of affected systems could be significant.

Organizations running LMDeploy in containerized environments or cloud infrastructure are at particularly high risk, as the SSRF vulnerability can be leveraged to extract container credentials, environment variables, and cloud service metadata. This type of compromise could allow attackers to pivot laterally within cloud environments or gain elevated privileges in container orchestration systems.

The Rapid Exploitation Timeline

What distinguishes this incident from many other vulnerability disclosures is the speed of weaponization. The fact that active exploitation was observed less than 13 hours after public disclosure suggests either a highly organized threat actor with automated scanning infrastructure or multiple independent actors quickly recognizing the vulnerability's impact. This compressed timeline between disclosure and exploitation is becoming increasingly common as attackers employ AI-assisted vulnerability scanning and automated exploit development.

The rapid exploitation also indicates that threat actors are actively monitoring vulnerability disclosures for open-source projects, particularly those in the AI/ML space where there's high demand for cloud credentials and internal network access. LMDeploy's position in the AI infrastructure stack makes it an attractive target for supply chain attacks that could compromise downstream applications and services.

Supply Chain Implications

This vulnerability highlights a critical vulnerability in the AI infrastructure supply chain. LMDeploy is a dependency in many AI deployment pipelines, and a compromise at this level could affect numerous organizations downstream. This is particularly concerning given the trend of nation-state and criminal actors targeting AI infrastructure as a means to gain access to valuable training datasets, models, and computational resources.

Organizations using LMDeploy as part of their AI deployment infrastructure should consider:

• Conducting an immediate inventory of systems running LMDeploy with vision-language support
• Evaluating whether those systems have access to sensitive internal networks or cloud metadata services
• Prioritizing patching to versions beyond 0.12.0 that address this SSRF vulnerability
• Implementing network segmentation to restrict access from application servers to cloud metadata services
• Monitoring for suspicious outbound requests from LMDeploy processes to internal or metadata endpoints
• Implementing credential rotation for any cloud credentials that may have been exposed

Broader AI Infrastructure Security Concerns

This incident is emblematic of a larger trend in 2026: attackers recognizing that AI infrastructure represents a high-value target with often inadequate security controls. As organizations race to deploy AI systems, security is frequently treated as an afterthought, with development teams prioritizing feature velocity over secure configuration. The rapid exploitation of this vulnerability demonstrates that threat actors are aware of these shortcuts and are actively exploiting them.

Furthermore, the open-source nature of LMDeploy means that the vulnerability code path is publicly visible to both security researchers and attackers. This transparency, while beneficial for the security community's ability to understand and patch vulnerabilities, also means that exploit development can be accelerated significantly. Attackers can study the vulnerable code, develop reliable exploits, and deploy them at scale within a matter of hours.

Remediation and Detection

For organizations running LMDeploy, immediate patching is essential. The project maintainers have likely released patched versions that validate internal IP addresses in the load_image() function. Organizations should verify that their deployment infrastructure is running a version newer than 0.12.0 and that vision-language support is properly configured with the updated validation logic.

From a detection perspective, security teams should monitor for:

• Unusual outbound connections from LMDeploy processes to cloud metadata services (169.254.169.254, metadata.google.internal, etc.)
• Failed or successful attempts to access internal network resources from application servers running LMDeploy
• Suspicious file:// or gopher:// protocol usage in request logs
• Extraction of cloud credentials or environment variables through access logs
• Abnormal image URLs being processed by the load_image() function

The Emerging AI Security Crisis

This vulnerability underscores a critical reality in 2026: the rush to deploy AI systems at scale is outpacing the maturity of security practices in the AI infrastructure ecosystem. While traditional application security has developed over decades, with frameworks like OWASP and security testing methodologies widely adopted, AI infrastructure security is still in its infancy. Tools like LMDeploy are being adopted rapidly without the same level of security hardening that enterprise-grade infrastructure tools typically receive.

Organizations must recognize that AI infrastructure components are not separate from their security strategy—they are the foundation upon which their AI applications run. A compromised LMDeploy instance doesn't just put a single application at risk; it can expose cloud credentials, internal networks, and training data across an entire organization's AI ecosystem.

As the AI infrastructure landscape continues to mature, we can expect more vulnerabilities like this to emerge. The key to defending against them is treating AI infrastructure with the same rigor and security controls as production systems, implementing defense-in-depth strategies, and maintaining an aggressive patching cadence. Organizations that fail to prioritize security in their AI infrastructure will face significant risks in 2026 and beyond.