Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-33626
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-20 Apr, 2026 | 20:29
Updated At-21 Apr, 2026 | 19:50
Rejected At-
▼CVE Numbering Authority (CNA)
LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The `load_image()` function in `lmdeploy/vl/utils.py` fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

Affected Products
Vendor
InternLM
Product
lmdeploy
Versions
Affected
  • < 0.12.3
Problem Types
TypeCWE IDDescription
CWECWE-918CWE-918: Server-Side Request Forgery (SSRF)
Type: CWE
CWE ID: CWE-918
Description: CWE-918: Server-Side Request Forgery (SSRF)
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq
x_refsource_CONFIRM
https://github.com/InternLM/lmdeploy/pull/4447
x_refsource_MISC
https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626
x_refsource_MISC
https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3
x_refsource_MISC
Hyperlink: https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/InternLM/lmdeploy/pull/4447
Resource:
x_refsource_MISC
Hyperlink: https://github.com/InternLM/lmdeploy/commit/71d64a339edb901e9005358e0633fbbab367d626
Resource:
x_refsource_MISC
Hyperlink: https://github.com/InternLM/lmdeploy/releases/tag/v0.12.3
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq
exploit
Hyperlink: https://github.com/InternLM/lmdeploy/security/advisories/GHSA-6w67-hwm5-92mq
Resource:
exploit
Details not found