PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-26214 Xiaomi Technology Co., Ltd. CVE debrief

The Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled, which is the default configuration. This allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints. The vulnerability affects all applications using the SDK with default settings. Developers and users of the Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior should be aware of this vulnerability and take steps to mitigate it. The CVE record and NVD entry provide additional context, but their accuracy and completeness are not verified by this debrief. To address this vulnerability, developers should update to a version of the Galaxy FDS Android SDK that enables TLS hostname verification and implement additional security measures.

Vendor
Xiaomi Technology Co., Ltd.
Product
Galaxy FDS Android SDK
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-12
Original CVE updated
2026-07-14
Advisory published
2026-02-12
Advisory updated
2026-07-14

Who should care

Developers and users of the Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior should be aware of this vulnerability and take steps to mitigate it. This includes updating to a version of the Galaxy FDS Android SDK that enables TLS hostname verification, implementing additional security measures, and monitoring SDK communications for suspicious activity.

Technical summary

The Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior configure Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses.

Defensive priority

High

Recommended defensive actions

  • Update to a version of the Galaxy FDS Android SDK that enables TLS hostname verification
  • Implement additional security measures, such as certificate pinning
  • Monitor SDK communications for suspicious activity
  • Use a secure communication protocol, such as HTTPS, with proper certificate validation
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-02-12T16:16:17.183Z and was last modified on 2026-07-14T16:16:58.317Z. The NVD entry is currently Deferred. The Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled, which is the default configuration. This allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints. Developers and users of the Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior should be aware of this vulnerability and take steps to mitigate it. The CVE record and NVD entry provide additional context, but their accuracy and completeness are not verified by this debrief.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-12T16:16:17.183Z and has not been modified since then. The NVD entry is currently Deferred.