Description
Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
Published: 2026-02-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Man‑in‑the‑Middle via TLS hostname verification bypass
Action: Patch/Workaround
AI Analysis

Impact

The Galaxy FDS Android SDK, when run with its default configuration, disables TLS hostname verification by using ALLOW_ALL_HOSTNAME_VERIFIER. This weakness allows an attacker on the same network to present any TLS certificate, causing the SDK to accept it even if the hostname does not match. The result is a man‑in‑the‑middle that can intercept, alter, or eavesdrop on all communications with Xiaomi FDS cloud storage, potentially leaking authentication credentials, file data, and API responses. This is a classic example of improper authentication enabled by weak TLS configuration (CWE‑297).

Affected Systems

Xiaomi Technology Co., Ltd. distributes the Galaxy FDS Android SDK. Versions up to and including 3.0.8, which are also in end‑of‑life status, configure Apache HttpClient with ALLOW_ALL_HOSTNAME_VERIFIER. All applications that integrate the SDK with its default HTTPS settings are thus affected.

Risk and Exploitability

The CVSS score of 9.1 classifies this vulnerability as critical, and the EPSS score of less than 1% indicates that the exploitability probability is low, though not impossible. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is a network‑based MITM, where an adversary intercepts traffic between a client application and the FDS cloud endpoint. Exploitation requires the attacker to be able to serve a fraudulent TLS certificate; no additional system compromise is needed. The impact is remote, full‑scope compromise of data confidentiality and integrity for any application using the vulnerable SDK with default settings.

Generated by OpenCVE AI on April 16, 2026 at 17:12 UTC.

Remediation

Vendor Workaround

Remove line 134 (the ALLOW_ALL_HOSTNAME_VERIFIER assignment). The default SSLSocketFactory uses STRICT_HOSTNAME_VERIFIER, which is the correct secure behavior.

OpenCVE Recommended Actions

  • Upgrade the Galaxy FDS Android SDK to a version newer than 3.0.8, where hostname verification is enabled by default or corrects the SSLSocketFactory usage.
  • As an interim measure, modify the SDK source by removing the line that assigns ALLOW_ALL_HOSTNAME_VERIFIER (line 134) so that the default STRICT_HOSTNAME_VERIFIER is used, ensuring TLS certificates are validated properly.
  • If upgrading or modifying the source is not immediately feasible, configure each application to enforce hostname verification explicitly, for example by creating a custom SSLSocketFactory that rejects hostname mismatches or by pinning the server certificate.

Generated by OpenCVE AI on April 16, 2026 at 17:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
References

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Xiaomi
Xiaomi galaxy Fds Android Sdk
Vendors & Products Xiaomi
Xiaomi galaxy Fds Android Sdk

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 12 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.
Title Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM
Weaknesses CWE-297
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Xiaomi Galaxy Fds Android Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-03T21:02:06.407Z

Reserved: 2026-02-11T20:08:07.943Z

Link: CVE-2026-26214

cve-icon Vulnrichment

Updated: 2026-02-12T15:42:24.050Z

cve-icon NVD

Status : Deferred

Published: 2026-02-12T16:16:17.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26214

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses