Published:2026/05/11 Last Updated:2026/05/11
JVN#38632731
"Kura Sushi Official App" vulnerable to improper certificate validation
Overview
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation.
Products Affected
- "Kura Sushi Official App" for Android versions from 2.0.11 to 3.9.10
- "Kura Sushi Official App" for iOS versions from 2.0.11 to 3.9.10
Description
"Kura Sushi Official App" provided by EPG, Inc. contains the following vulnerability.
- Improper certificate validation on push notifications (CWE-295)
- CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N Base Score 9.1
- CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Base Score 7.4
- This analysis assumes a man-in-the-middle attack being conducted with a malicious wireless LAN access point
- CVE-2026-41872
Impact
A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
Solution
Update the Software
Update the application to the latest version according to the information provided by the developer.
The developer has released the following versions to fix the issue.
- "Kura Sushi Official App" for Android version 3.9.11
- "Kura Sushi Official App" for iOS version 3.9.11
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Tsuyoshi Ogawa of SAK University SIE Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-41872 |
| JVN iPedia |
JVNDB-2026-000067 |