LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
Summary
A high-severity Server-Side Request Forgery (SSRF) vulnerability, CVE-2026-33626, has been discovered in LMDeploy, an open-source toolkit for LLMs. This flaw allows attackers to access sensitive data and was actively exploited in the wild within 13 hours of its disclosure.
IFF Assessment
The active exploitation of a high-severity vulnerability in an LLM deployment tool shortly after disclosure is bad news for defenders, as it demonstrates rapid weaponization of security flaws.
Severity
The CVSS score of 7.5 indicates a High severity. This is due to the SSRF vulnerability allowing attackers to potentially access sensitive internal resources by making the server perform requests on their behalf.
Defender Context
Defenders should be aware of the rapid exploitation of vulnerabilities in LLM infrastructure. Organizations using LMDeploy or similar tools need to prioritize patching and implementing security controls to mitigate SSRF risks and protect sensitive data.