Description
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.
Published: 2026-05-19
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a user with administrator privileges on macOS to elevate their rights to root during the installation or upgrade of Mullvad VPN versions 2026.1 and earlier. The installer executes binaries from the /Applications/Mullvad VPN.app bundle without verifying that the bundle is the legitimate Mullvad application or that it has not been tampered with. A crafted application bundle placed at that location can execute arbitrary code with root privileges, violating confidentiality, integrity, and availability of the system.

Affected Systems

Affected product: Mullvad VPN application for macOS. Versions up to and including 2026.1 are impacted. The issue was fixed in version 2026.2-beta1.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity local privilege escalation risk. The EPSS score is 6e-05 (< 1%), indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited in the wild. The exploitation path requires a local admin to install or upgrade the app, making it a local attack vector. An attacker can pre-place a malicious bundle at /Applications/Mullvad VPN.app prior to installation or upgrade to achieve code execution as root.

Generated by OpenCVE AI on May 22, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest Mullvad VPN version 2026.2-beta1 or newer to resolve the installer verification issue.
  • Prior to installing or upgrading, confirm that no other administrator accounts have write access to the /Applications/Mullvad VPN.app directory so the installer cannot overwrite it with a malicious bundle.
  • Validate the installer package signature and use macOS Gatekeeper or similar integrity-checking tools to ensure the installer has not been tampered with.

Generated by OpenCVE AI on May 22, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mullvad:mullvad_vpn:*:*:*:*:*:macos:*:*

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Mullvad
Mullvad mullvad Vpn
Vendors & Products Mullvad
Mullvad mullvad Vpn

Tue, 19 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.
Title Mullvad VPN for macOS: Local Privilege Escalation via unverified bundle path in installer
Weaknesses CWE-269
CWE-345
CWE-427
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Mullvad Mullvad Vpn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-20T03:55:24.550Z

Reserved: 2026-03-11T21:16:21.661Z

Link: CVE-2026-32323

cve-icon Vulnrichment

Updated: 2026-05-19T13:39:41.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T02:16:14.367

Modified: 2026-05-22T00:04:48.257

Link: CVE-2026-32323

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:00:13Z

Weaknesses