LMDeploy CVE-2026-33626 was disclosed on Monday, April 21. Thirteen hours later, attackers were exploiting it in the wild. Sysdig caught the first attempt against a honeypot 12 hours and 31 minutes after public disclosure. The vulnerable function fetched arbitrary URLs through a vision-language model image loader without validating internal IPs. Attackers used it as a generic Server-Side Request Forgery primitive: AWS Instance Metadata Service, port-scan of Redis, MySQL, and a secondary HTTP admin interface, plus out-of-band DNS exfiltration. Ten requests across three phases in eight minutes.
This isn't a story about LMDeploy. LMDeploy is just the part of the stack that hit the news this week. The story is what happens when an industry runs its AI infrastructure like it lives in a different security universe than the rest of production.
It doesn't.
This isn't new. The urgency is.
LLMs are a new attack tool and a new attack surface at the same time. The speed of what they enable also makes everything they touch additional attack surface. None of that is genuinely new. The same things you should have been doing for the last decade still answer the question. Zero Trust principles. Least privilege. Segmentation. Monitoring of internal traffic.
What changed is the timeline. A pilot reaches production scope in weeks. A vulnerability gets exploited in hours. A generative model hallucinates a bad code pattern, and ten engineers ship it before lunch.
Speed is exposure. Zero Trust isn't new. The urgency is.
Three surfaces, not one
Most organizations are talking about AI security as if it has a single surface: the model. It doesn't. AI has three.
Surface one: your traditional stack, now accelerated. Your existing infrastructure, identity perimeter, endpoint coverage, and detection-and-response, all under pressure from machine-speed reconnaissance, credential testing, and lateral movement on either side of the breach. Same patches you've been deferring. Same misconfigurations you've been ignoring. Slow-burning fire before. Fast one now.
Surface two: the LLM and its application stack. Inference servers, vector stores, retrieval pipelines, agent orchestration, prompt management, fine-tuning pipelines. LMDeploy is one example. The category is large and growing weekly. Most of it is open source, deployed by data and ML teams, and not in scope for the standard security review.
Surface three: the AI's output. Code generated by AI, content delivered by AI, decisions made by AI, actions taken by AI agents. Anything downstream that consumes the output and trusts it as if a human had produced it.
Most organizations are racing to govern surface two while pretending surface one is solved. It isn't. Surface three is barely on the roadmap.
The order matters. Before you protect the LLM itself, confirm you're protecting the acceleration of the traditional attack surface the LLM creates. Then govern the LLM stack as production infrastructure. Then govern the output as untrusted input to every downstream system.
Bad drivers, faster cars, removed the speed limit
AI doesn't change which drivers are bad. It hands them faster cars and takes the governor off. The same people who couldn't stay between the lines at thirty miles an hour are now driving at one-ten with no posted limit. The collisions aren't a new problem. The blast radius is.
If your basics were broken before AI, AI made the breach faster. If your identity stack was over-provisioned, your agents are exploring scopes you forgot you granted. If your code review was rubber-stamping, AI industrialized the rubber stamp. The LLM will amplify all of your bad habits and poor security. Every one of them.
Three places AI is amplifying bad security right now
1. Insecure code at scale. AI generates code faster than humans can review it. The bad patterns that always shipped now ship at ten times the volume. SQL injections, hardcoded credentials, broken authentication checks, unsafe deserialization. AI didn't invent these patterns. It industrialized them. The fix isn't to ban AI from coding. The fix is to treat AI-authored code as untrusted by default, gate it through static analysis and security review, and stop pretending the AI is a senior engineer.
2. Agents inheriting twenty years of over-provisioning. For two decades, security teams have warned about over-provisioned service accounts and broad-scope identities. For two decades, organizations over-provisioned anyway. Suzy's service account never explored its permissions. AI agents will. Creativity is the product. The agent will route around the tight sandbox if the configuration next door allows it.
3. Shadow AI exfiltrating data outside the perimeter. Employees use unsanctioned AI tools because the sanctioned ones are slow, locked down, or not deployed yet. They paste customer data into a public chatbot to summarize a meeting. They drop source code into a coding assistant that retains training data. They upload contracts into a translation tool with unclear data handling. The data leaves the perimeter without anyone noticing. The compliance exposure compounds quietly until it doesn't.
Three amplifications, three surfaces, one root cause. The LLM didn't break your security model. It revealed where the model was already broken.
To CISOs
Audit your basics first. Run a Zero Trust posture review with explicit AI scenarios in scope. Where does machine-speed reconnaissance break your detection? Where does machine-speed lateral movement outpace your response? Where do over-provisioned service accounts become agent jailbreaks waiting to happen?
Then govern the LLM stack as production infrastructure. Inference servers are production web servers. Vector stores hold sensitive context. Agent orchestration is privileged automation. Treat each as what it is.
Then govern the AI output as untrusted input. AI-generated code goes through the same gates as human-generated code, with extra scrutiny because the volume is higher. AI decisions feeding into other systems get the same input validation you'd apply to anything else.
To CIOs
Stop letting AI projects bypass security review because they're "pilots." A pilot in 2026 is a production-scope deployment in weeks, not quarters. The data is real. The integrations are live. The blast radius is already there. Security has to be in the loop from day one, or you'll be doing forensics on day one hundred.
If you're shipping the small wins, ship them with security. Speed without security is just a faster failure mode.
To boards
Stop asking your CISO "what's our AI security strategy." That's a slide-deck question. Ask operational ones. What did our last red team find when they pretended to be an LLM-assisted attacker. What did our last security review of the inference stack uncover. How many AI deployments are in production right now, and how many went through security review before launch.
Reward leaders who can answer those cleanly. Distrust the ones who can't.
The bottom line
Bad drivers in faster cars with no speed limit don't crash because of the cars. They crash because of the drivers. AI doesn't fix bad security. It amplifies it. Same drivers. Same potholes. Different speed.
Do the basics. Do them well. Then layer.
Sources
- Sysdig: CVE-2026-33626, how attackers exploited LMDeploy LLM inference engines in 12 hours
- The Hacker News: LMDeploy CVE-2026-33626 flaw exploited within 13 hours of disclosure