{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8990", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-05-19T13:13:51.711Z", "datePublished": "2026-05-28T13:27:00.417Z", "dateUpdated": "2026-05-28T15:14:26.194Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Android", "iOS"], "product": "Kidsview", "vendor": "View Concept", "versions": [{"lessThan": "4.4.3", "status": "affected", "version": "4.0.1", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jakub Lewandowski"}], "datePublic": "2026-05-28T13:26:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A user with physical access to a smartphone can bypass</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">authentication mechanism of </span><span style=\"background-color: rgb(255, 255, 255);\">Kidsview mobile application </span><span style=\"background-color: rgb(255, 255, 255);\">and grant himself full access to the device owner's account by interacting with application's push notification.</span><br><br>This issue was fixed in version 4.4.3"}], "value": "A user with physical access to a smartphone can bypass\u00a0authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.\n\nThis issue was fixed in version 4.4.3"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "baseScore": 5.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-05-28T13:27:00.417Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2026/05/CVE-2026-8990"}, {"tags": ["product"], "url": "https://kidsview.pl/"}], "source": {"discovery": "EXTERNAL"}, "title": "Authentication Bypass in Kidsview", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-28T15:12:50.115280Z", "id": "CVE-2026-8990", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T15:14:26.194Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8990", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-28T15:12:50.115280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-28T15:13:27.675Z"}}], "cna": {"title": "Authentication Bypass in Kidsview", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jakub Lewandowski"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "View Concept", "product": "Kidsview", "versions": [{"status": "affected", "version": "4.0.1", "lessThan": "4.4.3", "versionType": "semver"}], "platforms": ["Android", "iOS"], "defaultStatus": "unaffected"}], "datePublic": "2026-05-28T13:26:00.000Z", "references": [{"url": "https://cert.pl/posts/2026/05/CVE-2026-8990", "tags": ["third-party-advisory"]}, {"url": "https://kidsview.pl/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A user with physical access to a smartphone can bypass\u00a0authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.\n\nThis issue was fixed in version 4.4.3", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A user with physical access to a smartphone can bypass</span><span style=\"background-color: rgb(255, 255, 255);\">&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">authentication mechanism of </span><span style=\"background-color: rgb(255, 255, 255);\">Kidsview mobile application </span><span style=\"background-color: rgb(255, 255, 255);\">and grant himself full access to the device owner's account by interacting with application's push notification.</span><br><br>This issue was fixed in version 4.4.3", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-359", "description": "CWE-359 Exposure of Private Personal Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-05-28T13:27:00.417Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8990", "state": "PUBLISHED", "dateUpdated": "2026-05-28T15:14:26.194Z", "dateReserved": "2026-05-19T13:13:51.711Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-05-28T13:27:00.417Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A user with physical access to a smartphone can bypass\u00a0authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.\n\nThis issue was fixed in version 4.4.3"}], "id": "CVE-2026-8990", "lastModified": "2026-05-28T18:00:22.543", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-05-28T14:16:25.170", "references": [{"source": "[email protected]", "url": "https://cert.pl/posts/2026/05/CVE-2026-8990"}, {"source": "[email protected]", "url": "https://kidsview.pl/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-359"}], "source": "[email protected]", "type": "Primary"}]}

{}