Description
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
Published: 2026-05-12
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Kura Sushi Official App accepts any server certificate during the push‑notification handshake, allowing an attacker on the transport path to intercept or alter notification data. The vulnerability enables eavesdropping, corruption, or spoofing of the incoming push stream, effectively compromising confidentiality and integrity of app communications. Based on the description, it is inferred that an adversary could modify message payloads or block legitimate notifications, potentially delivering malicious content or denying service to users.

Affected Systems

The affected products are the Kura Sushi Official App for Android and iOS, distributed by EPG, Inc. No specific software versions are listed, so the risk applies to all versions of the app currently in use.

Risk and Exploitability

The CVSS score of 9.1 places the flaw in the critical range, indicating a high exploitation potential. The EPSS score is not available, so precise likelihood cannot be quantified, but the lack of a CISA KEV listing does not mitigate the inherent severity of a MITM bypass. The attack likely requires control of the communication channel (e.g., rogue Wi‑Fi hotspot or compromised device) and can be executed without user interaction, making it a practical threat to any device running the affected app.

Generated by OpenCVE AI on May 12, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest EPG, Inc. patch that enforces proper certificate validation for push notifications.
  • If no patch is available, uninstall the app or disable its push‑notification functionality until a fix is released.
  • Contact EPG, Inc. to confirm patch availability and report the vulnerability to obtain a timeline for remediation.

Generated by OpenCVE AI on May 12, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Epg
Epg kura Sushi Official App
Vendors & Products Epg
Epg kura Sushi Official App

Tue, 12 May 2026 06:30:00 +0000

Type Values Removed Values Added
Title Certificate Validation Failure Enabling MITM on Push Notifications in Kura Sushi Application

Tue, 12 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description "Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
Weaknesses CWE-295
References
Metrics cvssV3_0

{'score': 7.4, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Epg Kura Sushi Official App
cve-icon MITRE

Status: PUBLISHED

Assigner: jpcert

Published:

Updated: 2026-05-12T13:17:40.535Z

Reserved: 2026-04-22T07:25:34.140Z

Link: CVE-2026-41872

cve-icon Vulnrichment

Updated: 2026-05-12T13:17:36.572Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T06:16:09.400

Modified: 2026-05-12T15:10:27.993

Link: CVE-2026-41872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:21:55Z

Weaknesses