External risk intelligence

Kura Sushi Official App could allow an external attacker to read or tamper with notifications.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-41872

An external attacker can exploit a security flaw in the Kura Sushi Official App to intercept or manipulate push notifications. This could allow attackers to send deceptive messages or phishing links to customers, potentially leading to unauthorized access to sensitive account information.

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-41872

The vulnerability resides in a mobile client application. Attacking this flaw requires an interceptor to position themselves for a Man-in-the-Middle attack on the user's local network path, such as public Wi-Fi, rather than interacting with a public-facing server, gateway, or internet-accessible management surface.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The Kura Sushi Official App has an issue where it doesn't properly validate security certificates. This could allow someone to eavesdrop on or change the information sent during push notifications between the app and its servers.

  • Sensitive data could be exposed.
  • Communications could be altered.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by performing a man-in-the-middle attack to intercept or modify push notifications sent by the Kura Sushi Official App. This requires the attacker to be on the same network as the victim, such as a public Wi-Fi hotspot, to intercept traffic between the app and its server. The goal would be to eavesdrop on sensitive information or inject malicious content into notifications.

  • Network intercept required.
  • Man-in-the-middle attack.
  • App must be in use.

Live Threat

Current exploitation, exposure, and threat context

Attackers generally dislike weaponizing mobile client vulnerabilities due to the inherent difficulty in targeting specific users and the need for a sophisticated man-in-the-middle setup. This specific CVE, however, presents a potential for eavesdropping or altering sensitive communication, which could be attractive for targeted attacks if the application handles critical user data. Without evidence of active exploitation or public exploit code, the immediate threat remains uncertain.

  • Limited direct public exploit.
  • Requires network proximity.
  • Not listed as KEV.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize identifying and isolating instances of the "Kura Sushi Official App" on the network, as this vulnerability allows for man-in-the-middle attacks that can compromise user communications. Given the CRITICAL severity and potential for data interception, immediate action is recommended to limit exposure.

  • Block untrusted network traffic.
  • Monitor for suspicious push notifications.
  • Advise users to uninstall the app.

Frequently asked questions

What is the Kura Sushi Official App?

The Kura Sushi Official App is a mobile application provided by EPG, Inc. It is used for making reservations, managing loyalty points, ordering food for pickup or delivery, and accessing coupons. The app is available for both Android and iOS devices.

What kind of weakness does CVE-2026-41872 represent?

CVE-2026-41872 is an improper certificate validation vulnerability (CWE-295). This means the app does not properly verify the security certificates of the servers it communicates with, potentially allowing attackers to impersonate legitimate servers or intercept sensitive data.

What conditions are needed for this vulnerability to be exploited?

Exploitation requires an attacker to be positioned on the same network as the user, such as through a compromised Wi-Fi hotspot. This allows for a man-in-the-middle attack where the attacker can intercept or alter the push notifications sent between the app and its server.

Who is most affected by this vulnerability?

This vulnerability affects users of the Kura Sushi Official App, particularly those who use the app on untrusted networks. Because it involves intercepting local network traffic, the risk is to individual users rather than directly to internet-facing servers.

What should users do if they run this technology?

Users should avoid using the Kura Sushi Official App on untrusted networks like public Wi-Fi until a secure version is installed. It is recommended to use a trusted cellular connection or a corporate VPN when using the app to minimize the risk of interception.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished