CVE-2026-41872
Improper Certificate Validation in Kura Sushi Official App
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: JPCERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| epg | kura_sushi_official_app | From 2.0.11 (inc) to 3.9.10 (inc) |
| epg | kura_sushi_official_app | 3.9.11 |
| epg | kura_sushi_official_app | 3.9.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Kura Sushi Official App involves improper certificate validation, which allows a man-in-the-middle attack to eavesdrop on or alter push notification communications between the app and its server.
Such a vulnerability could potentially lead to unauthorized access or disclosure of personal data collected by the app, including contact information, email addresses, names, IDs, and device IDs as indicated in the app's privacy policy.
This risk of data interception or alteration may impact compliance with data protection regulations like GDPR or HIPAA, which require secure handling and protection of personal and sensitive information.
Therefore, failure to properly secure communications could result in violations of these standards, especially if personal data is compromised due to this vulnerability.
Can you explain this vulnerability to me?
The "Kura Sushi Official App" developed by EPG, Inc. has a vulnerability related to improper certificate validation in push notifications.
This flaw allows an attacker to perform a man-in-the-middle attack by exploiting a malicious wireless LAN access point.
As a result, the attacker may eavesdrop on or alter the communication between the app and its server regarding push notifications.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized interception or modification of push notification data sent between the app and its server.
An attacker exploiting this flaw could gain sensitive information or manipulate notifications, potentially misleading users or compromising app functionality.
Because the vulnerability allows a man-in-the-middle attack, it poses a high security risk, as reflected by its high CVSS scores.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper certificate validation in the Kura Sushi Official App's push notification communication, which can be exploited via a man-in-the-middle attack on the network.
To detect this vulnerability on your network or system, you can monitor network traffic for suspicious man-in-the-middle activity, especially on wireless LANs used by devices running affected versions of the app (Android 2.0.11 to 3.9.10 and iOS 2.0.11 to 3.9.10).
Specific commands to detect such issues are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Kura Sushi Official App to the fixed versions: Android 3.9.11 or later and iOS 3.9.11 or later, as these versions address the improper certificate validation vulnerability.
Additionally, avoid connecting to untrusted or malicious wireless LAN access points to reduce the risk of man-in-the-middle attacks.