CVE-2026-33626 is a critical SSRF vulnerability in LMDeploy, an open-source LLM inference engine, that was weaponized within 12-13 hours of public disclosure. An attacker can force an exposed LMDeploy instance to issue HTTP requests to cloud instance metadata services or internal network resources, enabling credential theft from cloud IMDS endpoints and lateral movement into the hosting environment.