PatchSiren cyber security CVE debrief
CVE-2026-26214 Xiaomi Technology Co., Ltd. CVE debrief
The Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled, which is the default configuration. This allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints. The vulnerability affects all applications using the SDK with default settings. Developers and users of the Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior should be aware of this vulnerability and take steps to mitigate it. The CVE record and NVD entry provide additional context, but their accuracy and completeness are not verified by this debrief. To address this vulnerability, developers should update to a version of the Galaxy FDS Android SDK that enables TLS hostname verification and implement additional security measures.
- Vendor
- Xiaomi Technology Co., Ltd.
- Product
- Galaxy FDS Android SDK
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-12
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-02-12
- Advisory updated
- 2026-07-14
Who should care
Developers and users of the Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior should be aware of this vulnerability and take steps to mitigate it. This includes updating to a version of the Galaxy FDS Android SDK that enables TLS hostname verification, implementing additional security measures, and monitoring SDK communications for suspicious activity.
Technical summary
The Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior configure Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses.
Defensive priority
High
Recommended defensive actions
- Update to a version of the Galaxy FDS Android SDK that enables TLS hostname verification
- Implement additional security measures, such as certificate pinning
- Monitor SDK communications for suspicious activity
- Use a secure communication protocol, such as HTTPS, with proper certificate validation
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-02-12T16:16:17.183Z and was last modified on 2026-07-14T16:16:58.317Z. The NVD entry is currently Deferred. The Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled, which is the default configuration. This allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints. Developers and users of the Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior should be aware of this vulnerability and take steps to mitigate it. The CVE record and NVD entry provide additional context, but their accuracy and completeness are not verified by this debrief.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-12T16:16:17.183Z and has not been modified since then. The NVD entry is currently Deferred.