Skip to main content

Mullvad VPN CVE-2026-32323

| EUVDEUVD-2026-30818 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-05-19 GitHub_M
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 19, 2026 - 02:01 EUVD
Source Code Evidence Fetched
May 19, 2026 - 01:43 vuln.today
Analysis Generated
May 19, 2026 - 01:43 vuln.today

DescriptionGitHub Advisory

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.

AnalysisAI

Local privilege escalation in Mullvad VPN for macOS versions 2026.1 and earlier allows a user in the admin group to gain root code execution during installation or upgrade. The installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying the bundle's integrity, enabling an admin-group attacker to pre-stage a malicious app bundle that runs as root. No public exploit identified at time of analysis, and the flaw is only triggerable when an installer is run, not on already-installed systems.

Technical ContextAI

The issue is a CWE-427 Uncontrolled Search Path Element in the macOS installer's preinstall script (dist-assets/pkg-scripts/preinstall). The script invokes $INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup with root privileges, but /Applications on macOS is writable by members of the local admin group. Because the installer trusts whatever bundle is present at that path rather than the signed bundle being installed, any binary placed there inherits the elevated context the installer scripts run under. The affected component is identified by CPE cpe:2.3:a:mullvad:mullvadvpn-app:*, which covers the desktop client across versions up to 2026.1.

RemediationAI

Vendor-released patch: 2026.2-beta1, which modifies the preinstall script to drop privileges with sudo -u nobody before invoking mullvad-setup (commit 032fdcb927c0b6d3e5e1aba4140d33adf22a6bfb). Administrators on macOS should upgrade using only the patched installer obtained directly from Mullvad; per the vendor, users already running an older release are not at immediate risk and only need to take care when next installing or upgrading. As a compensating control until upgrade time, restrict membership of the local admin group on shared macOS endpoints and verify the integrity of /Applications/Mullvad VPN.app (e.g., codesign --verify --deep) before running any installer, accepting the trade-off that this does not protect against an admin who replaces the bundle between verification and install. See https://github.com/mullvad/mullvadvpn-app/security/advisories/GHSA-c2g6-w5fq-vw3m and the patch commit at https://github.com/mullvad/mullvadvpn-app/commit/032fdcb927c0b6d3e5e1aba4140d33adf22a6bfb.

Share

CVE-2026-32323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy