CVE-2026-26214

Name of the Vulnerable Software and Affected Versions Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) versions prior to 3.0.9

Description The Galaxy FDS Android SDK disables TLS hostname verification when HTTPS is enabled by default. Specifically, the createHttpClient() function within the GalaxyFDSClientImpl class configures Apache HttpClient with SSLSocketFactory.ALLOW ALL HOSTNAME VERIFIER, accepting any TLS certificate regardless of hostname mismatch. This allows a man-in-the-middle attacker to intercept and modify communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.

Recommendations Versions prior to 3.0.9 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.