CVE-2025-11598
Information Disclosure via App Switcher in mObywatel iOS App
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | mobywatel | 4.71.0 |
| unknown_vendor | mobywatel | to 4.71.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the mObywatel iOS application allows an unauthorized user to view the account owner's personal information through the iOS App Switcher after the login session has ended. When the app is minimized, the last screen displayed remains visible in the minimized app window without requiring re-authentication, exposing sensitive personal data depending on what was last shown before minimizing. This issue affects all versions below 4.71.0 and was fixed in version 4.71.0. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of your personal information stored in the mObywatel app. Even after logging out, someone with access to your device could see sensitive data through the App Switcher without needing to log in again, potentially compromising your privacy and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the mObywatel iOS application version installed is below 4.71.0. Since the issue involves sensitive information being visible in the iOS App Switcher after logout, manual testing can be performed by logging out of the app, minimizing it, and checking if personal data is visible in the app's minimized window. There are no specific network or system commands provided to detect this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the mObywatel iOS application to version 4.71.0 or later, where the issue has been fixed. Avoid using versions below 4.71.0 to prevent unauthorized exposure of personal information through the App Switcher. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability exposes personal information to unauthorized users through the iOS App Switcher after the user ends their login session, which could lead to non-compliance with data protection regulations such as GDPR that require safeguarding personal data against unauthorized access. However, specific impacts on compliance with standards like GDPR or HIPAA are not detailed in the provided resources. [1]