{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/lmdeploy/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33626"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LMDeploy"],"_cs_severities":["high"],"_cs_tags":["lmdeploy","ssrf","vulnerability"],"_cs_type":"advisory","_cs_vendors":["LMDeploy"],"content_html":"\u003cp\u003eA Server-Side Request Forgery (SSRF) vulnerability has been identified in the vision-language module of LMDeploy, affecting versions prior to 0.12.3. Specifically, the \u003ccode\u003eload_image()\u003c/code\u003e function in \u003ccode\u003elmdeploy/vl/utils.py\u003c/code\u003e lacks proper validation of URLs before fetching images. This allows an attacker to craft malicious requests containing URLs pointing to internal resources, cloud metadata endpoints (like AWS's 169.254.169.254), or other sensitive internal network locations. The server, which binds to \u003ccode\u003e0.0.0.0\u003c/code\u003e by default and has API keys disabled, becomes an unwitting proxy, enabling the attacker to potentially steal cloud credentials or access internal services that are not exposed to the internet. This issue was tested against the main branch as of February 4, 2026. Orca Security discovered and reported this vulnerability, designated as CVE-2026-33626.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an LMDeploy server running a vulnerable version with vision-language capabilities enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to the \u003ccode\u003e/v1/chat/completions\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the request body, the attacker includes a malicious \u003ccode\u003eimage_url\u003c/code\u003e pointing to an internal resource (e.g., \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe LMDeploy server receives the request and, without proper validation, passes the \u003ccode\u003eimage_url\u003c/code\u003e to the \u003ccode\u003eload_image()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eload_image()\u003c/code\u003e function uses the \u003ccode\u003erequests.get()\u003c/code\u003e method to fetch the resource at the attacker-supplied URL.\u003c/li\u003e\n\u003cli\u003eThe server inadvertently retrieves the content from the internal resource (e.g., cloud metadata).\u003c/li\u003e\n\u003cli\u003eThe attacker receives the sensitive information (e.g., AWS credentials) through a callback server or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or accessed information to further compromise the system or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability can lead to several critical consequences. Attackers can steal cloud credentials from AWS, Azure, or GCP metadata services, granting them unauthorized access to cloud resources. They can also access internal services and resources that are not exposed to the internet, potentially gaining access to sensitive data or control over internal systems. Furthermore, attackers can use the compromised server as a pivot point to perform port scanning and other reconnaissance activities on the internal network, facilitating lateral movement and further attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade LMDeploy to version 0.12.3 or later to patch CVE-2026-33626.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect LMDeploy SSRF Attempt to Cloud Metadata\u0026quot; to detect attempts to access cloud metadata endpoints.\u003c/li\u003e\n\u003cli\u003eMonitor network connections from the LMDeploy server for suspicious outbound traffic to internal IP ranges using the \u0026quot;Detect LMDeploy SSRF Attempt to Internal IP\u0026quot; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-lmdeploy-ssrf/","summary":"A server-side request forgery (SSRF) vulnerability exists in LMDeploy's vision-language module, allowing attackers to access cloud metadata services and internal networks by exploiting the lack of URL validation in the `load_image()` function.","title":"LMDeploy Vision-Language Module SSRF Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-lmdeploy-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - LMDeploy","version":"https://jsonfeed.org/version/1.1"}