CVE-2026-26214 漏洞深度分析

漏洞概述

CVE 编号: CVE-2026-26214
CVSS 评分: 9.1(CRITICAL)
CVSS 向量: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE 分类: CWE-297
漏洞状态: Deferred
发布时间: 2026-02-12T16:16:17.183
最后更新: 2026-07-14T16:16:58.317

漏洞描述

Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) version 3.0.8 and prior disable TLS hostname verification when HTTPS is enabled (the default configuration). In GalaxyFDSClientImpl.createHttpClient(), the SDK configures Apache HttpClient with SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER, which accepts any valid TLS certificate regardless of hostname mismatch. Because HTTPS is enabled by default in FDSClientConfiguration, all applications using the SDK with default settings are affected. This vulnerability allows a man-in-the-middle attacker to intercept and modify SDK communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status.

影响分析

此漏洞的具体影响取决于实际利用场景。"

修复建议

  1. 及时关注厂商发布的安全更新和补丁
  2. 升级受影响组件到最新版本
  3. 如无法立即升级,参考厂商提供的临时缓解措施
  4. 加强网络访问控制和监控

参考链接

  1. https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-26214/CVE-2026-26214.md
  2. https://github.com/XiaoMi/galaxy-fds-sdk-android
  3. https://www.vulncheck.com/advisories/xiaomi-galaxy-fds-android-sdk-tls-hostname-verification-disabled-enables-mitm