CVE-2026-8990

A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3

CVSS

No CVSS.

References

Link	Resource
https://cert.pl/posts/2026/05/CVE-2026-8990
https://kidsview.pl/

Configurations

No configuration.

History

28 May 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-28 14:16

Updated : 2026-05-28 18:00

NVD link : CVE-2026-8990

Mitre link : CVE-2026-8990

CVE.ORG link : CVE-2026-8990

JSON object : View

Products Affected

No product.

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

{"id": "CVE-2026-8990", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "cvd@cert.pl", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-28T14:16:25.170", "references": [{"url": "https://cert.pl/posts/2026/05/CVE-2026-8990", "source": "cvd@cert.pl"}, {"url": "https://kidsview.pl/", "source": "cvd@cert.pl"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cvd@cert.pl", "description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-359"}]}], "descriptions": [{"lang": "en", "value": "A user with physical access to a smartphone can bypass\u00a0authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.\n\nThis issue was fixed in version 4.4.3"}], "lastModified": "2026-05-28T18:00:22.543", "sourceIdentifier": "cvd@cert.pl"}

CVE-2026-8990

JSON object

Attach tags to CVE-2026-8990

Attach tags to `CVE-2026-8990`