CVE-2026-32323 - Vulnerability Details

Description

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.

Published: 2026-05-19

Score: 7.3 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a user with administrator privileges on macOS to elevate their rights to root during the installation or upgrade of Mullvad VPN versions 2026.1 and earlier. The installer executes binaries from the /Applications/Mullvad VPN.app bundle without verifying that the bundle is the legitimate Mullvad application or that it has not been tampered with. A crafted application bundle placed at that location can execute arbitrary code with root privileges, violating confidentiality, integrity, and availability of the system.

Affected Systems

Affected product: Mullvad VPN application for macOS. Versions up to and including 2026.1 are impacted. The issue was fixed in version 2026.2‑beta1.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity local privilege escalation risk. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited in the wild. The exploitation path requires a local admin to install or upgrade the app, making it a local attack vector. An attacker can pre‑place a malicious bundle at /Applications/Mullvad VPN.app prior to installation or upgrade to achieve code execution as root.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mullvad

mullvadvpn-app

affected

Version	Status	Constraints
`< 2026.2-beta1`	affected	—

No data.

Vendor Product Confidence Versions

Mullvad

Mullvad Vpn

88%

Version	Status	Scheme	Platform
`[0,2026.2-beta1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Download and install the latest Mullvad VPN version 2026.2‑beta1 or newer to resolve the installer verification issue.
Prior to installing or upgrading, confirm that no other administrator accounts have write access to the /Applications/Mullvad VPN.app directory so the installer cannot overwrite it with a malicious bundle.
Validate the installer package signature and use macOS Gatekeeper or similar integrity‑checking tools to ensure the installer has not been tampered with.

Generated by OpenCVE AI on May 19, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/mullvad/mullvadvpn-app/commit/032fdcb927c0b6d3e5e1aba4140d33adf22a6bfb
https://github.com/mullvad/mullvadvpn-app/security/advisories/GHSA-c2g6-w5fq-vw3m

History

Tue, 19 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mullvad Mullvad mullvad Vpn
Vendors & Products		Mullvad Mullvad mullvad Vpn

Tue, 19 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.
Title		Mullvad VPN for macOS: Local Privilege Escalation via unverified bundle path in installer
Weaknesses		CWE-269 CWE-345 CWE-427
References		https://github.com/mullvad/mullvadvpn-app/commit/032fdcb927c0b6d3e5e1aba4140d33adf22a6bfb https://github.com/mullvad/mullvadvpn-app/security/advisories/GHSA-c2g6-w5fq-vw3m
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Mullvad Mullvad Vpn

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-19T00:23:23.143Z

Updated: 2026-05-19T00:23:23.143Z

Reserved: 2026-03-11T21:16:21.661Z

Link: CVE-2026-32323

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-19T02:16:14.367

Modified: 2026-05-19T02:16:14.367

Link: CVE-2026-32323

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T08:15:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object