http://169.254.169.254/, the cloud instance metadata endpoint, and hand back the temporary IAM role credentials parked there. In 2026 that stopped being theoretical: three separate CVEs across the AI ecosystem, LMDeploy, mcp-atlassian, and Crawl4AI, all did exactly this, and one was exploited within roughly thirteen hours of disclosure. This is Server-Side Request Forgery, CWE-918, and the AI stack is full of it.
This is a piece about a class, not a single product. The AI and agent boom shipped a huge amount of new server-side code whose whole job is to fetch something a user pointed at: an image URL for a multimodal model, a link for a retrieval pipeline, a page for a crawler, an endpoint for a Model Context Protocol connector. Each fetch runs from inside your network with your instance's IAM role attached, and every cloud instance answers a request to 169.254.169.254 with credentials for that role. The only thing between an attacker-supplied URL and those credentials is whether the fetching code refuses to follow links into link-local and internal ranges. In 2026 a lot of it did not. Verifiable security.
Three fetches, three ways to forget the metadata endpoint
LMDeploy (CVE-2026-33626, fixed in 0.12.3, scored 7.5). LMDeploy serves vision-language models, so it turns an image reference into pixels. Its load_image() helper in lmdeploy/vl/utils.py fetched arbitrary URLs with no validation of the destination address. A vision request is supposed to carry a picture; instead it could carry http://169.254.169.254/latest/meta-data/iam/security-credentials/, the server fetched it, and the response channel returned the cloud IAM role credentials at that path. The public record is blunt: reporting indicates the flaw was exploited within roughly thirteen hours of disclosure. A loader that loads any URL is a credential exfiltration primitive the moment it runs on a cloud instance.
mcp-atlassian (CVE-2026-27826, fixed in 0.17.0, scored 8.2). This is a Model Context Protocol server bridging an AI agent to Atlassian products. The defect let an unauthenticated caller supply two custom HTTP headers that steered an outbound request to any URL of the caller's choosing, including the metadata endpoint. The sharp edge is the pre-authentication reachability: a connector meant to talk to a known SaaS backend became a general-purpose request proxy pointed wherever the attacker aimed, no credentials required.
Crawl4AI (CVE-2026-53755, fixed in 0.8.9, scored 8.6). Crawl4AI is a crawler built for feeding LLM pipelines, and it actually had an SSRF allow-and-deny check, applied to the wrong field. It validated the crawl target URL, the obvious attacker input, but not the proxy address in browser_config.proxy_config.server. So the crawl URL could look perfectly clean while the browser was routed through an internal address the check never inspected. Compounding it, Crawl4AI's Docker deployment exposes its API unauthenticated by default, so on a default install nobody was at the door at all.
Line those three up and the through-line is sharp. None is an exotic bug. Each is an SSRF defense that forgot the metadata endpoint entirely (LMDeploy), trusted an unauthenticated caller to name its own destination (mcp-atlassian), or validated one field while leaving the transport open (Crawl4AI). The metadata endpoint is the target every time: it is the one address on the cloud network that hands credentials to anyone who can reach it from the instance, and a server-side fetcher always can.
The metadata endpoint answers any request that reaches it from the instance. A fetcher that does not deny link-local and internal ranges turns that into credential theft. Illustrative only.
How to tell if you are carrying this
You do not need to fire a real exploit at your metadata endpoint to know whether you are exposed. The exposure is two readable facts: which of your AI services make server-side fetches, and what version each runs.
- Inventory the fetchers. Walk your AI and agent footprint for anything that takes a URL or host and retrieves it server-side: multimodal image loaders, web and document loaders in retrieval pipelines, MCP HTTP servers, crawlers, link-preview and screenshot helpers. Each is an SSRF candidate by construction, because fetching a caller-influenced URL is its whole job.
- Version-check each against the fixed builds. LMDeploy before 0.12.3, mcp-atlassian before 0.17.0, and Crawl4AI before 0.8.9 are the named cases, but the class is far broader. Version is the highest-signal fact, usually a one-line query against the service or its lockfile.
- Prove egress with a responder you control, not real IMDS. Point the fetch at an internal HTTP responder you own and watch whether the request arrives. If it does, the service will follow a link into internal space, and the metadata endpoint is one such link. This confirms the exposure without ever reading a real credential.
The fetch is the feature. Every AI server is supposed to go get a URL for you. The bug is that so many of them will go get 169.254.169.254 too.
What to do about it
Close the metadata path on every AI fetcher
- Upgrade the named packages now. LMDeploy to 0.12.3 or later, mcp-atlassian to 0.17.0 or later, Crawl4AI to 0.8.9 or later. Treat a public-facing service on an older build as an active issue, not a backlog item.
- Enforce an allow-list on every server-side fetch, and deny link-local (169.254.0.0/16) and RFC1918 ranges by default. The answer to "may I fetch this address" is no unless the destination is on the list.
- Apply that same validation to proxy and transport fields, not just the obvious target URL. The proxy address is attacker input too, as Crawl4AI showed.
- Require IMDSv2 with a hop limit of 1, so a proxied or forwarded request cannot reach the credentials even if a fetch slips past the URL validation.
- Authenticate the Crawl4AI Docker API and keep it off the public internet. An unauthenticated control plane lets anyone who can reach it command the fetch.
- Scope the instance IAM role to the minimum, so a leaked credential is worth as little as possible.
How Celvex catches this
Find. Prove. Fix. Verify.
A read-only inventory of your AI and agent services identifies every helper that makes a server-side fetch, image loaders, web loaders, MCP servers, crawlers, and fingerprints each version against the known-vulnerable builds.
A confirmed unfiltered fetcher becomes an Ed25519-signed Proof Capsule carrying the service, its version evidence, and the egress observation from an internal responder we control, reproducible offline by you or your auditor. No real credential is read to prove it.
The capsule's remediation block names the steps: upgrade to the fixed build, add an allow-list plus a link-local and RFC1918 deny on every fetch and proxy field, require IMDSv2 with hop limit 1, and authenticate the crawler control plane.
A fresh probe against the internal responder now comes back blocked, IMDSv2-only is confirmed, and the proxy fields reject internal destinations. The finding closes and the verified-fix event is recorded.
This class slipped through because a URL fetcher does not look like an attack surface. It looks like a convenience. But a convenience that runs server-side with a cloud identity attached is exactly the shape of an SSRF primitive, and the AI boom shipped that shape by the thousand. Treat every server-side fetch as hostile by default about where it points, and remember that the one destination you must always refuse is the one that answers with credentials.
Verifiable security. Find the fetchers, prove the egress against a responder you own, fix the validation and the metadata configuration, and verify the path is closed. That is what we ship.
Sources
- NVD: CVE-2026-33626 (LMDeploy SSRF via load_image)
- NVD: CVE-2026-27826 (mcp-atlassian header-controlled SSRF)
- CVEFeed: CVE-2026-53755 (Crawl4AI proxy-field SSRF)
- The Hacker News: LMDeploy CVE-2026-33626 exploited within hours of disclosure
- MITRE CWE-918: Server-Side Request Forgery
- CELVEX Group: Proof Capsule format
Which of your AI services will fetch 169.254.169.254?
Free Exposure Check, no signup required. We inventory the URL-fetching helpers across your AI and agent stack, fingerprint their versions against the known-vulnerable builds, and ship a signed Proof Capsule for the highest-confidence finding, without ever reading a real credential.
Run a Free Scan →