TLS Hostname Verification Bypass in Xiaomi Galaxy FDS SDK for Android
CVE-2026-26214
Key Information:
- Vendor
Xiaomi Technology Co., Ltd.
- Status
- Vendor
- CVE Published:
- 12 February 2026
Badges
What is CVE-2026-26214?
The Galaxy FDS Android SDK from Xiaomi has a significant security flaw where TLS hostname verification is disabled in the default configuration. This flaw stems from the SDK utilizing SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which permits all TLS certificates irrespective of hostname validity. As a consequence, any application integrating this SDK with its default settings is susceptible to a man-in-the-middle attack. This vulnerability allows unauthorized interception and modification of communications with Xiaomi's FDS cloud storage, posing serious risks of exposure for authentication credentials, sensitive file contents, and API response data. It's important to note that the open-source project for Galaxy FDS SDK has reached end-of-life status, leaving existing implementations vulnerable.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
Galaxy FDS Android SDK Android 0 <= 3.0.8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved