CVE-2026-26214
TLS Hostname Verification Bypass in Galaxy FDS Android SDK Enables MITM
Publication date: 2026-02-12
Last updated on: 2026-02-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xiaomi | galaxy_fds_android_sdk | to 3.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-297 | The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26214 is a vulnerability in the Xiaomi Galaxy FDS Android SDK (version 3.0.8 and earlier) where TLS hostname verification is disabled by default when HTTPS is enabled.'}, {'type': 'paragraph', 'content': "Specifically, the SDK configures Apache HttpClient with a hostname verifier that accepts any valid TLS certificate regardless of hostname mismatches, which means it does not properly verify that the server's certificate matches the intended hostname."}, {'type': 'paragraph', 'content': 'Because HTTPS is enabled by default, all applications using the SDK with default settings are affected.'}, {'type': 'paragraph', 'content': 'This flaw allows a man-in-the-middle (MITM) attacker to intercept and modify communications between the SDK and Xiaomi FDS cloud storage endpoints.'}] [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker performing a man-in-the-middle attack to intercept and modify the data exchanged between your application using the SDK and Xiaomi FDS cloud storage.
Such interception can lead to exposure of sensitive information including authentication credentials, file contents, and API responses.
This compromises the confidentiality and integrity of your data and communications, potentially leading to unauthorized access and data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists because the Galaxy FDS Android SDK versions 3.0.8 and prior disable TLS hostname verification by default, allowing man-in-the-middle attacks.
Since the XiaoMi/galaxy-fds-sdk-android project is end-of-life and no further patches are expected, immediate mitigation steps include:
- Avoid using the affected SDK versions (3.0.8 and earlier) in your applications.
- If possible, modify the SDK usage to enforce proper TLS hostname verification instead of using ALLOW_ALL_HOSTNAME_VERIFIER.
- Consider implementing additional network security controls such as VPNs or network-level TLS interception detection to reduce MITM risks.
- Monitor network traffic for suspicious activity involving communications to Xiaomi FDS cloud storage endpoints.