Description
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification.

This issue was fixed in version 4.4.3
Published: 2026-05-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A user who physically accesses a smartphone can exploit a flaw in the Kidsview mobile application to bypass its authentication mechanism through a push notification. This flaw allows the attacker to gain full access to the device owner's account, compromising the confidentiality, integrity, and availability of personal data. The weakness aligns with CWE‑288 and CWE‑359, indicating a failure in enforcing proper authentication checks during user interaction events.

Affected Systems

The vulnerable product is the Kidsview application distributed by View Concept. Versions prior to 4.4.3 are affected; the fix was introduced in version 4.4.3.

Risk and Exploitability

The CVSS score of 5.3 categorizes the vulnerability as medium severity. EPSS data is not provided, but the attack requires the attacker to have physical access to the device and to interact with a push notification, limiting the threat to individuals who can physically obtain the phone. Since the vulnerability is not listed in the CISA KEV catalog, there is no current evidence of widespread exploitation, yet the impact on personal data warrants prompt mitigation.

Generated by OpenCVE AI on May 28, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kidsview to version 4.4.3 or later to address the authentication bypass flaw.
  • If an immediate upgrade is not possible, disable push notifications for the Kidsview app to mitigate the exploitation path until a patch is available.
  • Ensure that all devices running Kidsview employ a strong device lock, use full‑disk encryption, and restrict physical access to prevent attackers from triggering the push notification.

Generated by OpenCVE AI on May 28, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared View Concept
View Concept kidsview
Vendors & Products View Concept
View Concept kidsview

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with application's push notification. This issue was fixed in version 4.4.3
Title Authentication Bypass in Kidsview
Weaknesses CWE-288
CWE-359
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

View Concept Kidsview
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-28T15:14:26.194Z

Reserved: 2026-05-19T13:13:51.711Z

Link: CVE-2026-8990

cve-icon Vulnrichment

Updated: 2026-05-28T15:13:27.675Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T14:16:25.170

Modified: 2026-05-28T18:00:22.543

Link: CVE-2026-8990

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:48:29Z

Weaknesses