CVE-2026-8990

Vulnerability

The Kidsview mobile application (versions 4.0.1 to 4.4.3) contains an authentication bypass vulnerability (CWE-288) where a user with physical access to an unlocked smartphone can interact with a push notification from the app to bypass the application's authentication mechanism. The attacker does not need the device owner's credentials; the notification interaction alone is sufficient to trigger the flaw and gain unauthorized access [2].

Exploitation

To exploit this vulnerability, an attacker must have physical possession of the victim's smartphone that has Kidsview installed and is currently receiving push notifications. The attacker interacts with a push notification displayed on the locked or unlocked screen (depending on device settings). This interaction triggers a code path that skips the normal authentication flow and directly grants the attacker full access to the device owner's Kidsview account [2]. No further credentials or user interaction from the owner are required.

Impact

A successful attacker gains full access to the Kidsview account of the smartphone owner. This can lead to unauthorized viewing of private data (information disclosure) and potentially actions performed under the owner's identity, affecting confidentiality and integrity of the account. The compromise is at the application level, not the device itself [1][2].

Mitigation

The vulnerability is fixed in Kidsview version 4.4.3, released on or before May 28, 2026. Users are strongly advised to update the application through official app stores to the latest version. No workarounds are known; keeping the device physically secure and applying the update are the recommended mitigations [2].