Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server.
AnalysisAI
Man-in-the-middle attacks against Kura Sushi Official App for Android and iOS allow complete interception and modification of push notification traffic due to improper SSL/TLS certificate validation. Attackers on the network path between the mobile app and EPG's notification server can read confidential data (VC:H) and inject arbitrary notifications or commands (VI:H) without authentication or user interaction. The vulnerability affects both Android and iOS versions of the official ordering app from Japanese restaurant chain Kura Sushi. EPSS and KEV data not available; exploitation requires network position but no special credentials or app configuration.
Technical ContextAI
This vulnerability stems from CWE-295 (Improper Certificate Validation), a common mobile app security flaw where developers fail to properly implement TLS/SSL certificate pinning or hostname verification. The affected applications (CPE: a:epg,_inc.:kura_sushi_official_app_for_android and a:epg,_inc.:kura_sushi_official_app_for_ios) likely accept any certificate presented during TLS handshake or do not validate the certificate chain against trusted root CAs. This affects push notification communications, which in modern mobile apps often use protocols like HTTP/2 over TLS or platform-specific APIs (Firebase Cloud Messaging for Android, Apple Push Notification service for iOS) that should enforce strict certificate validation. The CVSS 4.0 vector indicates network-accessible attack (AV:N) with low complexity (AC:L) but present attack requirements (AT:P), suggesting the attacker must position themselves on the network path. The high confidentiality and integrity impacts (VC:H/VI:H) with no availability impact (VA:N) and no subsequent system impacts (SC:N/SI:N/SA:N) are consistent with a passive interception and active injection scenario limited to the communication channel itself.
RemediationAI
Update to the latest version of Kura Sushi Official App from Google Play Store (Android) or Apple App Store (iOS) once vendor-released patches become available. Specific fixed version numbers are not confirmed in available data; monitor the JPCERT/CC advisory at https://jvn.jp/en/jp/JVN38632731/ for patch release announcements from EPG, Inc. Until patched versions are deployed, users should avoid using the app over untrusted networks including public Wi-Fi, coffee shop networks, or hotel guest networks. Organizations providing guest Wi-Fi in restaurant environments should implement WPA3-Enterprise with certificate-based authentication or deploy TLS-inspection-aware security controls. End users can mitigate risk by using cellular data (4G/5G) instead of Wi-Fi when using the app, or routing traffic through a trusted VPN service, though VPN use may introduce latency affecting real-time order updates. Note that VPN mitigation only protects if the VPN provider's network is more trusted than local Wi-Fi. IT administrators managing corporate mobile device fleets should consider blocking the app via Mobile Device Management (MDM) until patches are confirmed, though this may impact employee dining convenience.
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29381
GHSA-mcjh-pcfv-25rh