CVE-2026-41872
Received Received - Intake
Improper Certificate Validation in Kura Sushi Official App

Publication date: 2026-05-12

Last updated on: 2026-05-12

Assigner: JPCERT/CC

Description
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-12
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-41872
EUVD
EUVD-2026-29381
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
epg kura_sushi_official_app From 2.0.11 (inc) to 3.9.10 (inc)
epg kura_sushi_official_app 3.9.11
epg kura_sushi_official_app 3.9.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The "Kura Sushi Official App" developed by EPG, Inc. has a vulnerability related to improper certificate validation in push notifications.

This flaw allows an attacker to perform a man-in-the-middle attack by exploiting a malicious wireless LAN access point.

As a result, the attacker may eavesdrop on or alter the communication between the app and its server regarding push notifications.

Impact Analysis

This vulnerability can lead to unauthorized interception or modification of push notification data sent between the app and its server.

An attacker exploiting this flaw could gain sensitive information or manipulate notifications, potentially misleading users or compromising app functionality.

Because the vulnerability allows a man-in-the-middle attack, it poses a high security risk, as reflected by its high CVSS scores.

Detection Guidance

This vulnerability involves improper certificate validation in the Kura Sushi Official App's push notification communication, which can be exploited via a man-in-the-middle attack on the network.

To detect this vulnerability on your network or system, you can monitor network traffic for suspicious man-in-the-middle activity, especially on wireless LANs used by devices running affected versions of the app (Android 2.0.11 to 3.9.10 and iOS 2.0.11 to 3.9.10).

Specific commands to detect such issues are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the Kura Sushi Official App to the fixed versions: Android 3.9.11 or later and iOS 3.9.11 or later, as these versions address the improper certificate validation vulnerability.

Additionally, avoid connecting to untrusted or malicious wireless LAN access points to reduce the risk of man-in-the-middle attacks.

Compliance Impact

The vulnerability in the Kura Sushi Official App involves improper certificate validation, which allows a man-in-the-middle attack to eavesdrop on or alter push notification communications between the app and its server.

Such a vulnerability could potentially lead to unauthorized access or disclosure of personal data collected by the app, including contact information, email addresses, names, IDs, and device IDs as indicated in the app's privacy policy.

This risk of data interception or alteration may impact compliance with data protection regulations like GDPR or HIPAA, which require secure handling and protection of personal and sensitive information.

Therefore, failure to properly secure communications could result in violations of these standards, especially if personal data is compromised due to this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart