CVE-2025-11598 | THREATINT

Description

In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0

PUBLISHED Reserved 2025-10-10 | Published 2026-02-03 | Updated 2026-02-03 | Assigner CERT-PL

LOW: 1.0CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

Product status

Default status

unaffected

Any version before 4.71.0

affected

Credits

Maciej Krakowiak [DSecure.me Sp. z o.o] finder

References

info.mobywatel.gov.pl/ product

cert.pl/posts/2026/02/CVE-2025-11598 third-party-advisory

cve.org (CVE-2025-11598)

nvd.nist.gov (CVE-2025-11598)

Download JSON