Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.
This issue was fixed in version 4.4.3
AnalysisAI
Authentication bypass in the Kidsview mobile application allows a person with physical access to a smartphone to gain full, unauthorized access to the device owner's account by interacting with the app's push notifications, entirely circumventing the normal login flow. Affected versions are those prior to 4.4.3, as confirmed by the vendor fix. No public exploit code has been identified at time of analysis, and there is no CISA KEV listing, but the attack requires no credentials and no user assistance - only physical device possession.
Technical ContextAI
Kidsview is a parental control mobile application (kidsview.pl). The vulnerability is rooted in CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning the application's push notification handling exposes an alternate code path that skips the primary authentication gate. In mobile applications, push notification interactions can launch specific app activities or deep-link handlers without first passing through the standard authentication screen - this is the channel being abused. The CVSS 4.0 vector (AV:P/AC:L/AT:P/PR:N/UI:N) confirms the attack is physical in nature, requires no privileges, no user interaction beyond the attacker's own actions, but does require certain attack prerequisites (AT:P), such as the app being installed and having received a push notification visible on the lock screen. No CPE string was provided; affected scope is inferred from the description as the Kidsview Android/iOS application prior to version 4.4.3.
RemediationAI
Users and administrators should upgrade the Kidsview mobile application to version 4.4.3 or later, which is confirmed to resolve this authentication bypass. The vendor advisory is available at https://kidsview.pl/ and the CERT Polska disclosure can be reviewed at https://cert.pl/posts/2026/05/CVE-2026-8990. If immediate upgrade is not possible, a compensating control is to disable push notifications for the Kidsview application at the operating system level - this removes the alternate channel used for bypass, though it will also disable legitimate notification functionality for the app. An additional compensating measure is to enable full-device encryption combined with a strong lock screen PIN or biometric, which limits an attacker's ability to interact with lock-screen notifications at all; note however that the CVE description implies interaction beyond the lock screen may still be possible depending on device configuration.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32901
GHSA-frf3-pwqj-2qf5