CVE-2026-32323
Undergoing Analysis Undergoing Analysis - In Progress
Privilege Escalation in Mullvad VPN macOS Installer

Publication date: 2026-05-19

Last updated on: 2026-05-19

Assigner: GitHub, Inc.

Description
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-19
Generated
2026-05-20
AI Q&A
2026-05-19
EPSS Evaluated
2026-05-19
NVD
CVE-2026-32323
EUVD
EUVD-2026-30818
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mullvad mullvad_vpn 2026.1
mullvad mullvad_vpn From 2026.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32323 is a local privilege escalation vulnerability in the Mullvad VPN installer for macOS versions 2026.1 and below.

During installation or upgrade, the installer executes binaries from /Applications/Mullvad VPN.app without verifying whether the application bundle is legitimate or attacker-controlled.

An attacker with administrator privileges can place a malicious application bundle at that location, which could allow them to execute code with root privileges.

The issue was fixed by modifying the preinstall script to drop privileges before running the setup command, preventing unauthorized privilege escalation.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is related to the Mullvad VPN installer on macOS versions 2026.1 and below, specifically involving execution of binaries from /Applications/Mullvad VPN.app without verifying legitimacy.

To detect if your system is vulnerable, you can check the installed version of Mullvad VPN to see if it is 2026.1 or below.

A possible command to check the installed version on macOS is:

  • defaults read "/Applications/Mullvad VPN.app/Contents/Info" CFBundleShortVersionString

Additionally, you can verify if there is any suspicious or attacker-controlled application bundle placed at /Applications/Mullvad VPN.app by listing the directory contents and checking for unexpected files or modifications:

  • ls -l /Applications | grep 'Mullvad VPN.app'
  • codesign -dv --verbose=4 "/Applications/Mullvad VPN.app"

These commands help verify the version and the integrity of the Mullvad VPN application bundle to detect potential exploitation.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, the primary step is to avoid reinstalling or upgrading Mullvad VPN on macOS versions 2026.1 and below until you can update to version 2026.2 or later, where the issue is fixed.

If you need to install or upgrade, ensure you use version 2026.2-beta1 or later, which includes a fix that drops privileges before executing the setup command, preventing local privilege escalation.

Additionally, restrict admin group users from placing or modifying application bundles in /Applications to prevent attackers from pre-placing malicious bundles.

Monitoring and auditing the /Applications directory for unauthorized changes can also help mitigate exploitation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows a local privilege escalation to root during installation or upgrade of Mullvad VPN on macOS, potentially leading to unauthorized access to sensitive system resources.

Such unauthorized privilege escalation could impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls on access to sensitive data and system integrity.

If exploited, this vulnerability could lead to breaches of confidentiality, integrity, and availability of data, which are critical aspects covered by these regulations.


How can this vulnerability impact me? :

This vulnerability can allow an attacker with admin rights on a macOS system to escalate their privileges to root during the installation or upgrade of Mullvad VPN.

With root-level access, the attacker could execute arbitrary code with full system privileges, potentially compromising system confidentiality, integrity, and availability.

The CVSS score of 7.3 reflects a high impact on confidentiality, integrity, and availability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart