CVE-2026-41872
Improper Certificate Validation in Kura Sushi Official App
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| epg | kura_sushi_official_app | From 2.0.11 (inc) to 3.9.10 (inc) |
| epg | kura_sushi_official_app | 3.9.11 |
| epg | kura_sushi_official_app | 3.9.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The "Kura Sushi Official App" developed by EPG, Inc. has a vulnerability related to improper certificate validation in push notifications.
This flaw allows an attacker to perform a man-in-the-middle attack by exploiting a malicious wireless LAN access point.
As a result, the attacker may eavesdrop on or alter the communication between the app and its server regarding push notifications.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized interception or modification of push notification data sent between the app and its server.
An attacker exploiting this flaw could gain sensitive information or manipulate notifications, potentially misleading users or compromising app functionality.
Because the vulnerability allows a man-in-the-middle attack, it poses a high security risk, as reflected by its high CVSS scores.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper certificate validation in the Kura Sushi Official App's push notification communication, which can be exploited via a man-in-the-middle attack on the network.
To detect this vulnerability on your network or system, you can monitor network traffic for suspicious man-in-the-middle activity, especially on wireless LANs used by devices running affected versions of the app (Android 2.0.11 to 3.9.10 and iOS 2.0.11 to 3.9.10).
Specific commands to detect such issues are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Kura Sushi Official App to the fixed versions: Android 3.9.11 or later and iOS 3.9.11 or later, as these versions address the improper certificate validation vulnerability.
Additionally, avoid connecting to untrusted or malicious wireless LAN access points to reduce the risk of man-in-the-middle attacks.