CVE-2026-26214
Awaiting Analysis Awaiting Analysis - Queue
TLS Hostname Verification Bypass in Galaxy FDS Android SDK Enables MITM

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: VulnCheck

Description
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26214
EUVD
EUVD-2026-7018
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xiaomi galaxy_fds_android_sdk to 3.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-297 The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26214 is a vulnerability in the Xiaomi Galaxy FDS Android SDK (version 3.0.8 and earlier) where TLS hostname verification is disabled by default when HTTPS is enabled.'}, {'type': 'paragraph', 'content': "Specifically, the SDK configures Apache HttpClient with a hostname verifier that accepts any valid TLS certificate regardless of hostname mismatches, which means it does not properly verify that the server's certificate matches the intended hostname."}, {'type': 'paragraph', 'content': 'Because HTTPS is enabled by default, all applications using the SDK with default settings are affected.'}, {'type': 'paragraph', 'content': 'This flaw allows a man-in-the-middle (MITM) attacker to intercept and modify communications between the SDK and Xiaomi FDS cloud storage endpoints.'}] [2]

Impact Analysis

This vulnerability can allow an attacker performing a man-in-the-middle attack to intercept and modify the data exchanged between your application using the SDK and Xiaomi FDS cloud storage.

Such interception can lead to exposure of sensitive information including authentication credentials, file contents, and API responses.

This compromises the confidentiality and integrity of your data and communications, potentially leading to unauthorized access and data breaches.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability exists because the Galaxy FDS Android SDK versions 3.0.8 and prior disable TLS hostname verification by default, allowing man-in-the-middle attacks.

Since the XiaoMi/galaxy-fds-sdk-android project is end-of-life and no further patches are expected, immediate mitigation steps include:

  • Avoid using the affected SDK versions (3.0.8 and earlier) in your applications.
  • If possible, modify the SDK usage to enforce proper TLS hostname verification instead of using ALLOW_ALL_HOSTNAME_VERIFIER.
  • Consider implementing additional network security controls such as VPNs or network-level TLS interception detection to reduce MITM risks.
  • Monitor network traffic for suspicious activity involving communications to Xiaomi FDS cloud storage endpoints.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart