CVE-2026-33626

Source
https://cve.org/CVERecord?id=CVE-2026-33626
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33626.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33626
Aliases
Published
2026-04-20T20:29:19.558Z
Modified
2026-07-08T08:12:49.286182197Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading
Details

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33626.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-918"
    ]
}
References

Affected packages

Git / github.com/internlm/lmdeploy

Affected ranges

Type
GIT
Repo
https://github.com/internlm/lmdeploy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:internlm:lmdeploy:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.12.3"
        }
    ]
}

Affected versions

0.*
0.6.5
v0.*
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.0a0
v0.1.0a1
v0.1.0a2
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.12.0
v0.12.1
v0.12.2
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.5.1
v0.5.2
v0.5.2.post1
v0.5.3
v0.6.0
v0.6.0a0
v0.6.1
v0.6.2
v0.6.3
v0.6.4
v0.7.0
v0.7.0.post1
v0.7.0.post2
v0.7.0.post3
v0.7.1
v0.7.2
v0.7.2.post1
v0.8.0
v0.9.0
v0.9.1
v0.9.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33626.json"