External risk intelligence

Kura Sushi App could allow external attackers to intercept or alter push notifications

The Kura Sushi Official App could allow external attackers to intercept or alter push notifications, potentially compromising the privacy and integrity of alert data sent between the app and the server.

NVD published May 12, 2026 (3 days ago)

External risk briefCRITICAL

CVE-2026-41872

Halo Surface Signal

3/ 5

This vulnerability affects a consumer mobile application's client-side certificate validation logic. The application relies on public internet connectivity to communicate with backend servers; however, the vulnerability exists within the client-side code rather than an internet-facing listening service or infrastructure component.

Exposure facts

CVSS

9.1

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

0.02%

H – Horizon Alert

The Kura Sushi Official App has been identified as having a security weakness regarding how it validates digital certificates. This vulnerability could allow an unauthorized party to position themselves in the communication flow, potentially enabling them to intercept or modify push notifications sent between the application and the server. Consequently, this creates a potential risk to the privacy and integrity of information exchanged through these specific digital alerts.

A – Asset Exposure

The Kura Sushi Official App is affected by a vulnerability involving how it validates digital security certificates. This issue impacts the integrity and privacy of communications regarding push notifications sent between the mobile application and the backend server. If this flaw is targeted, an unauthorized party could intercept or modify this notification data, potentially compromising the information delivered to the app's users.

L – Live Threat

The available intelligence for this vulnerability does not indicate active exploitation or observed targeting. We have not identified any reports of public exploit code or proof-of-concept activity associated with this issue. Consequently, current risk signals are limited, and we have no evidence of threat activity to suggest a heightened likelihood of impact at this time.

O – Operational Fix

We recommend that teams using the Kura Sushi Official App update the application through official app stores to apply the latest vendor protections. Please consult the official Japanese Vulnerability Notes (JVN) advisory for specific remediation guidance provided by the developer. Prioritize verifying that your organization’s installations are updated to ensure your environment remains secure.