CVE-2025-11598 PUBLISHED

Exposure of Confidential Information in mObywatel application

Assigner: CERT-PL
Reserved: 10.10.2025 Published: 03.02.2026 Updated: 03.02.2026

In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized

This issue was fixed in version 4.71.0

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Physical	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	None
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Centralny Ośrodek Informatyki
Product	mObywatel
Versions	Default: unaffected affected from 0 to 4.71.0 (excl.)

Credits

Maciej Krakowiak [DSecure.me Sp. z o.o] finder

References

Problem Types

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor CWE

Impacts

CAPEC-508 Shoulder Surfing