Full Report
Authentication Bypass vulnerability (CVE-2026-8990) has been found in Kidsview software.
Analysis Summary
# Vulnerability: Authentication Bypass in Kidsview Mobile Application
## CVE Details
- **CVE ID**: CVE-2026-8990
- **CVSS Score**: Not specifically listed in the report (Estimated High based on impact)
- **CWE**: CWE-288 (Authentication Bypass Using an Alternate Path or Channel)
## Affected Systems
- **Products**: Kidsview (Mobile Application)
- **Versions**: Found in versions 4.0.1 through 4.4.2 (Fixed in 4.4.3)
- **Configurations**: Smartphones with Kidsview installed where push notifications are active.
## Vulnerability Description
A technical flaw in the Kidsview mobile application allows an unauthorized individual to bypass the standard authentication mechanism. By interacting with a push notification received on the smartphone, an attacker can gain full access to the device owner's account. This bypass effectiveley skips the required login or identity verification steps.
## Exploitation
- **Status**: Reported via Coordinated Vulnerability Disclosure (CVD); no mention of active exploitation in the wild.
- **Complexity**: Low (requires basic interaction with a notification).
- **Attack Vector**: Physical (requires physical access to the smartphone).
## Impact
- **Confidentiality**: High (Full access to the device owner’s account and data).
- **Integrity**: High (Ability to modify account settings or data).
- **Availability**: Medium (Unauthorized access could lead to account lockout or setting changes).
## Remediation
### Patches
- **Version 4.4.3**: This version contains the fix for the authentication bypass. Users should update the application via their respective app stores immediately.
### Workarounds
- **Disable Notifications**: As a temporary measure if updating is not possible, users can disable push notifications for the Kidsview app in the smartphone system settings.
- **Device Security**: Ensure the smartphone itself is protected by a strong biometric or passcode lock to prevent physical access to notifications.
## Detection
- **Indicators of Compromise**: Unrecognized activity within the Kidsview account that coincides with physical loss of control of the device.
- **Detection Methods**: Audit account logs (if available) for access timestamps that do not align with authorized usage.
## References
- **CERT Polska Advisory**: hxxps[://]cert[.]pl/en/posts/2026/05/vulnerability-in-kidsview-application/
- **CVE Record**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-8990
- **CWE-288 Definition**: hxxps[://]cwe[.]mitre[.]org/data/definitions/288[.]html