CVE-2026-8990 View Concept CVE debrief

Who should care

Organizations and individuals using the Kidsview mobile application for parental control or device monitoring, particularly those with devices that may be accessible to unauthorized users. Mobile application security teams and developers implementing push notification-based authentication flows.

Technical summary

The Kidsview mobile application contains an authentication bypass vulnerability where an attacker with physical access to a smartphone can interact with the application's push notification to grant themselves full access to the device owner's account. The vulnerability stems from improper authentication mechanism implementation (CWE-288) and potential exposure of sensitive information through push notifications (CWE-359). The attack requires physical access to the device (AV:P) and has high impact on confidentiality and integrity. The vendor has released version 4.4.3 containing the security fix.

Defensive priority

medium

Recommended defensive actions

• Update Kidsview mobile application to version 4.4.3 or later to remediate the authentication bypass vulnerability
• Implement additional authentication controls for push notification interactions to prevent unauthorized account access
• Review and strengthen authentication mechanisms in mobile applications to address CWE-288 (Authentication Bypass Issues)
• Assess exposure of sensitive information in push notifications to address CWE-359 (Exposure of Private Information)
• Monitor for unauthorized access attempts on devices running affected versions of Kidsview
• Apply device-level security controls (screen lock, biometric authentication) to complement application-level fixes

Evidence notes

CVE published 2026-05-28T14:16:25.170Z; modified 2026-05-28T18:00:22.543Z. Fix version 4.4.3 confirmed in CVE description. CERT.PL advisory and vendor website referenced as sources.

Official resources