CVE-2026-41872

EPG, Inc. · Kura Sushi Official App

The Kura Sushi Official App for Android and iOS contains an improper certificate validation vulnerability, potentially exposing user data to man-in-the-middle attacks.

Executive summary

Improper certificate validation in the Kura Sushi Official App (v2.0.11-3.9.10) exposes users to potential man-in-the-middle attacks and data interception.

Vulnerability

The application fails to properly validate SSL/TLS certificates (CWE-295), allowing attackers to intercept or manipulate encrypted communications. This vulnerability can be exploited by an unauthenticated attacker, provided they can position themselves within the network path of the victim.

Business impact

This vulnerability poses a risk of credential theft, session hijacking, or the exposure of personal user information transmitted through the app. Given the CVSS score of 7.4, the risk of total technical impact to the application's data integrity and confidentiality is significant for affected mobile users.

Remediation

Immediate Action: Users should check for and install the latest version of the Kura Sushi Official App from the Google Play Store or Apple App Store.

Proactive Monitoring: Security teams should monitor for suspicious network traffic originating from mobile devices running the application.

Compensating Controls: Use of a secure VPN or avoiding the use of the application on untrusted public Wi-Fi networks can reduce the likelihood of a successful man-in-the-middle attack.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

All users of the Kura Sushi Official App should update to the latest available version immediately. Developers must ensure that certificate validation is strictly enforced in all network requests to prevent interception of sensitive data.