[Japanese]

JVNDB-2026-000067

"Kura Sushi Official App" vulnerable to improper certificate validation

Overview

"Kura Sushi Official App" provided by EPG, Inc. contains the following vulnerability.
  • Improper certificate validation on push notifications (CWE-295) - CVE-2026-41872
    • This analysis assumes a man-in-the-middle attack being conducted with a malicious wireless LAN access point
Tsuyoshi Ogawa of SAK University SIE Co., Ltd. reported this vulnerability to IPA.JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.4 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None
CVSS v4 Severity
Base Metrics: 9.1 (Critical) [IPA Score]
  • Access Vector (AV): Network
  • Attack Complexity (AC): Low
  • Attack Requirements (AT): Present
  • Privileges Required (PR): None
  • User Interaction (UI): None
    • Vulnerable System Impact
  • Confidentiality Impact (VC): High
  • Integrity Impact (VI): High
  • Availability Impact (VA): None
    • Subsequent System Impact
  • Confidentiality Impact (SC): None
  • Integrity Impact (SI): None
  • Availability Impact (SA): None
Affected Products


EPG, Inc.
  • Kura Sushi Official App for Android versions from 2.0.11 to 3.9.10
  • Kura Sushi Official App for iOS versions from 2.0.11 to 3.9.10

Impact

A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
Solution

[Update the Software]
Update the application to the latest version according to the information provided by the developer.

The developer has released the following versions to fix the issue.
  • "Kura Sushi Official App" for Android version 3.9.11
  • "Kura Sushi Official App" for iOS version 3.9.11
The developer states that the affected versions require the users to update immediately when invoked.
Vendor Information

EPG, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-41872
References

  1. JVN : JVN#38632731
Revision History

  • [2026/05/11]
      Web page was published

Date Public2026/05/11
Date First Published2026/05/11
Date Last Updated2026/05/11