CVE-2026-33626: Security Vulnerability in LMDeploy Actively Exploited

A serious security vulnerability in LMDeploy, an open-source toolkit for compressing, deploying, and operating LLMs, has been actively exploited within 13 hours of its public disclosure. The vulnerability, identified as CVE-2026-33626, has a CVSS score of 7.5 and pertains to a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to access sensitive data. The discovery of the vulnerability was announced on April 24, 2026. Security researchers immediately warned of the potential risks associated with this vulnerability.

The possibility that attackers can access internal systems via SSRF poses a significant risk to companies using LMDeploy. Following the disclosure of the vulnerability, several security firms and researchers began analyzing its impact. Initial reports indicate that attackers are able to exploit the vulnerability to steal confidential information or compromise systems. The rapid response from attackers suggests that the vulnerability is considered valuable in cybercrime. The developers of LMDeploy have already announced an update to address the security vulnerability.

This update is expected to be released in the coming days to protect affected systems. Users are strongly urged to check their installations and install the update promptly once it becomes available. The vulnerability affects not only companies using LMDeploy in their production environments but also developers utilizing the toolkit for research and development purposes. The vulnerability could be exploited in various scenarios, underscoring the urgency of remediation. The community has already responded to the vulnerability by sharing information and potential workarounds.

Some security researchers have proposed alternative methods to secure systems to minimize the risk of an attack until an official update is provided. The rapid exploitation of the vulnerability highlights the importance of implementing security updates in a timely manner and regularly checking systems for vulnerabilities. Experts recommend that companies take proactive measures to protect their systems and prepare for future threats. The security vulnerability CVE-2026-33626 could potentially affect thousands of systems worldwide, as LMDeploy is used in many organizations. The exact number of affected systems is currently unclear, but a high prevalence is expected.

The developers of LMDeploy have announced that they will continue to monitor the security situation and provide regular updates to ensure the integrity of their software. The community is encouraged to share all relevant information to minimize the impact of the vulnerability. The vulnerability has been classified as one of the most critical in recent times, highlighting the need to improve security practices in software development. The release of the update is expected on April 30, 2026.