Skip to main content

Apache CVE-2026-26214

CRITICAL
Improper Validation of Certificate with Host Mismatch (CWE-297)
2026-02-12 disclosure@vulncheck.com
9.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jul 14, 2026 - 16:40 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 16:22 NVD
HIGH CRITICAL
CVSS changed
Jul 14, 2026 - 16:22 NVD
7.4 (HIGH) 9.1 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 12, 2026 - 16:16 nvd
HIGH 7.4

DescriptionCVE.org

Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.

AnalysisAI

Man-in-the-middle interception affects the Xiaomi Galaxy FDS Android SDK (galaxy-fds-sdk-android) version 3.0.8 and prior, which disables TLS hostname verification whenever HTTPS is enabled — the default. Because createHttpClient() installs Apache HttpClient's ALLOW_ALL_HOSTNAME_VERIFIER, any TLS certificate from any host is accepted, letting an on-path attacker impersonate Xiaomi FDS cloud storage endpoints and steal authentication credentials, file contents, and API responses. EPSS is very low (0.03%, 8th percentile) and there is no public exploit identified at time of analysis, but the project has reached end-of-life so no fix is expected.

Share

CVE-2026-26214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy