system: OPERATIONAL
← back to all hacks
INFRASTRUCTURE CRITICAL NEW

When the image loader becomes an SSRF: cloud metadata theft on vision-LLM nodes

A server-side request forgery in a popular open-source LLM serving toolkit let attackers turn a vision model's image loader into a scanner for cloud metadata and internal services — exploited within hours of disclosure.

2026-07-15 // 6 min affects: lmdeploy, internvl2, internlm-xcomposer2

What is this?

On April 21, 2026, the maintainers of LMDeploy — a widely used open-source toolkit for compressing, deploying, and serving large language and vision-language models — published a security advisory for a server-side request forgery (SSRF) flaw in its vision-language module. The bug was reported by Orca Security researcher Igor Stepansky. Within 12 hours and 31 minutes, the Sysdig Threat Research Team recorded the first exploitation attempt against its honeypots, and by the following day the flaw was being used in the wild. This write-up is based on the maintainers’ public advisory and post-incident analysis; no working exploit is reproduced here.

The lesson generalizes well beyond one toolkit: when a model server fetches a URL on your behalf, that fetch is an attack surface — and on a GPU inference node, it can be an unusually valuable one.

How it works

Multimodal endpoints accept images. Rather than force every caller to upload raw bytes, most serving stacks let a request pass an image URL, which the server dutifully fetches. In the affected code, the image-loading helper retrieved arbitrary URLs without checking where they pointed — no hostname resolution check, no private-network blocklist, no protection for link-local addresses.

That turns the vision endpoint into a general-purpose HTTP request primitive controlled by whoever can call the API. Instead of an image, an attacker supplies a URL aimed at the infrastructure behind the server:

POST /v1/chat/completions            (a normal vision request)
  image_url: http://169.254.169.254/latest/meta-data/iam/security-credentials/
        |
  server fetches the URL server-side, no destination validation
        |
  response (or timing/error) reveals internal-only resources:
  cloud metadata (IMDS), Redis, MySQL, admin interfaces, loopback ports

In the observed intrusion, the attacker did not stop at confirming the bug. Over a single eight-minute session they used the image loader to probe the internal network: the cloud metadata service, a Redis instance, MySQL, a secondary administrative HTTP interface, and an out-of-band DNS callback to confirm outbound reach. They also rotated between different vision models on the same server to blend in with legitimate traffic.

Why it matters

A textbook SSRF is bad; an SSRF on an AI-serving node is worse because of what those nodes hold. Vision-LLM workers usually run on GPU instances with broad cloud roles — access to model-artifact buckets, training datasets, and often cross-account assume-role permissions. A single successful fetch of the instance metadata service can hand an attacker temporary IAM credentials, and from there the blast radius is the whole cloud account, not just one container.

The timeline is the other uncomfortable part. This flaw was weaponized in well under a day, before most operators could patch, and with no public proof-of-concept at the time. That fits a pattern the responders called out directly: a detailed advisory — affected file, parameter name, root-cause explanation, sample code — is effectively a ready-made prompt for a model to draft an exploit. AI infrastructure is being scanned and hit within hours of any disclosure, regardless of how niche the project is.

Defenses

Validate every server-side fetch destination. Resolve the hostname first, then reject private, loopback, and link-local ranges (including the metadata address) and non-HTTP schemes. Re-check after resolution to defeat DNS rebinding, and prefer an allowlist of expected image hosts over a denylist.

Lock down the metadata service. Require IMDSv2 (session-token) and set the response hop limit to 1 so a proxied SSRF cannot reach it. This one control neutralizes the highest-impact step of the observed attack.

Give inference nodes least privilege. A model server rarely needs broad S3 or cross-account roles attached to the instance. Scope the role to exactly what serving requires, and keep training-data and artifact permissions on separate identities.

Contain egress and internal reachability. Default-deny outbound traffic from inference workers, segment them away from Redis, databases, and admin interfaces, and alert on a model host suddenly making DNS or TCP connections to internal ranges.

Patch on advisory, not on convenience. Because AI-infra flaws are exploited in hours, treat serving-stack advisories as emergency changes: upgrade to the fixed release promptly and monitor for the indicators published with the advisory.

Status

ItemDetail
ReferenceGitHub advisory GHSA-6w67-hwm5-92mq (CVE-2026-33626), CVSS 7.5
DisclosedApril 21, 2026; first in-the-wild attempt within ~12.5 hours
AffectedLMDeploy vision-language module, all versions with vision support up to the patched release (0.12.x and earlier per the advisory)
Root causeload_image() fetched arbitrary URLs without validating internal/private/link-local destinations
ImpactInternal network scanning, access to Redis/MySQL/admin interfaces, cloud metadata and IAM credential theft
FixUpgrade to the patched release; apply destination validation as described in the advisory

Sources