Skip to main content

Kidsview CVE-2026-8990

| EUVDEUVD-2026-32901 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-28 cvd@cert.pl GHSA-frf3-pwqj-2qf5
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 28, 2026 - 15:01 EUVD
Analysis Generated
May 28, 2026 - 14:32 vuln.today

DescriptionCVE.org

A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.

This issue was fixed in version 4.4.3

AnalysisAI

Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.

Technical ContextAI

Kidsview is a parental control mobile application (kidsview.pl). The vulnerability is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning the application's push notification handling exposes an alternate code path that skips the primary authentication gate. In mobile applications, push notification interactions can launch specific app activities or deep-link handlers without first passing through the standard authentication screen - this is the channel being abused. The CVSS 4.0 vector (AV:P/AC:L/AT:P/PR:N/UI:N) confirms the attack is physical in nature, requires no privileges, no user interaction beyond the attacker's own actions, but does require certain attack prerequisites (AT:P), such as the app being installed and having received a push notification visible on the lock screen. No CPE string was provided; affected scope is inferred from the description as the Kidsview Android/iOS application prior to version 4.4.3.

RemediationAI

Users and administrators should upgrade the Kidsview mobile application to version 4.4.3 or later, which is confirmed to resolve this authentication bypass. The vendor advisory is available at https://kidsview.pl/ and the CERT Polska disclosure can be reviewed at https://cert.pl/posts/2026/05/CVE-2026-8990. If immediate upgrade is not possible, a compensating control is to disable push notifications for the Kidsview application at the operating system level - this removes the alternate channel used for bypass, though it will also disable legitimate notification functionality for the app. An additional compensating measure is to enable full-device encryption combined with a strong lock screen PIN or biometric, which limits an attacker's ability to interact with lock-screen notifications at all; note however that the CVE description implies interaction beyond the lock screen may still be possible depending on device configuration.

Share

CVE-2026-8990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy