Vulnerabilities ›

CVE-2026-32323

High

CWE-269 — Weakness Type

                    Published: May 19, 2026                      ·  Modified: May 26, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.

🤖 AI Executive Summary

Mullvad VPN versions 2026.1 and below on macOS contain a local privilege escalation vulnerability (CVE-2026-32323) allowing admin users to achieve root code execution during installation or upgrade. The vulnerability stems from insufficient verification of application bundle integrity before binary execution. While no public exploits exist, the attack requires only local access and admin privileges, making it a significant risk for organizations with shared macOS infrastructure. Patching to version 2026.2-beta1 or later is recommended for affected deployments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 22, 2026 05:32

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Mullvad VPN on macOS systems face moderate risk, particularly in: (1) Government agencies and NCA-regulated entities with shared macOS workstations; (2) Banking and financial institutions (SAMA-regulated) using Mullvad for secure communications; (3) Telecommunications companies (STC, Mobily) with macOS-based infrastructure; (4) Healthcare organizations with shared administrative systems. The vulnerability is most critical in environments where admin users have elevated privileges and shared access to installation systems. Organizations with strict endpoint management and limited admin group membership face lower risk.

🏢 Affected Saudi Sectors

Government Banking and Financial Services Telecommunications Healthcare Energy Education

🎯 MITRE ATT&CK Techniques

T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1036.005 - Masquerading: Match Legitimate Name or Location T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking T1053.006 - Scheduled Task/Job: Systemd Timers

⚖️ Saudi Risk Score (AI)

6.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all macOS systems running Mullvad VPN versions 2026.1 and below using endpoint management tools

2. Restrict admin group membership to essential personnel only

3. Implement file integrity monitoring on /Applications/Mullvad VPN.app directory

4. Monitor installation and upgrade processes for suspicious bundle modifications

Patching Guidance:

1. Upgrade to Mullvad VPN version 2026.2-beta1 or later on all affected macOS systems

2. Prioritize systems in shared environments or with multiple admin users

3. Test patches in non-production environment before enterprise deployment

4. Schedule upgrades during maintenance windows to minimize disruption

Compensating Controls (if immediate patching not possible):

1. Disable automatic updates and manually control installation/upgrade timing

2. Use Mobile Device Management (MDM) to enforce code signing verification

3. Implement Application Control policies to whitelist only legitimate Mullvad bundles

4. Restrict write permissions to /Applications directory for non-root users

5. Enable System Integrity Protection (SIP) on all macOS systems

Detection Rules:

1. Monitor for unsigned or invalid code signatures on Mullvad VPN bundle

2. Alert on any modifications to /Applications/Mullvad VPN.app during installer execution

3. Track privilege escalation attempts during Mullvad installation processes

4. Log all admin group membership changes and sudo execution by admin users

5. Monitor for unexpected root process spawning from Mullvad installer context

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أنظمة macOS التي تقوم بتشغيل Mullvad VPN الإصدارات 2026.1 وما دونها باستخدام أدوات إدارة نقاط النهاية

2. تقييد عضوية المجموعة الإدارية للموظفين الأساسيين فقط

3. تنفيذ مراقبة سلامة الملفات على دليل /Applications/Mullvad VPN.app

4. مراقبة عمليات التثبيت والترقية للتعديلات المريبة على الحزمة

إرشادات الترقية:

1. الترقية إلى Mullvad VPN الإصدار 2026.2-beta1 أو أحدث على جميع أنظمة macOS المتأثرة

2. إعطاء الأولوية للأنظمة في البيئات المشتركة أو التي تحتوي على عدة مستخدمين إداريين

3. اختبار التصحيحات في بيئة غير الإنتاج قبل نشر المؤسسة

4. جدولة الترقيات خلال نوافذ الصيانة لتقليل الانقطاع

الضوابط البديلة (إذا لم يكن الترقية الفورية ممكنة):

1. تعطيل التحديثات التلقائية والتحكم اليدوي في توقيت التثبيت/الترقية

2. استخدام إدارة الأجهزة المحمولة (MDM) لفرض التحقق من التوقيع الرقمي

3. تنفيذ سياسات التحكم في التطبيقات لإدراج حزم Mullvad الشرعية فقط

4. تقييد أذونات الكتابة على دليل /Applications للمستخدمين غير الجذر

5. تفعيل حماية سلامة النظام (SIP) على جميع أنظمة macOS

قواعد الكشف:

1. مراقبة التوقيعات الرقمية غير الموقعة أو غير الصحيحة على حزمة Mullvad VPN

2. التنبيه على أي تعديلات على /Applications/Mullvad VPN.app أثناء تنفيذ المثبت

3. تتبع محاولات تصعيد الامتيازات أثناء عمليات تثبيت Mullvad

4. تسجيل جميع تغييرات عضوية المجموعة الإدارية وتنفيذ sudo من قبل المستخدمين الإداريين

5. مراقبة عمليات الجذر غير المتوقعة من سياق مثبت Mullvad

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Access Control and Authentication 5.2.1 - Privilege Management 5.3.1 - Change Management 6.1.1 - Malware Protection 6.2.1 - Vulnerability Management

🔵 SAMA CSF

ID.AM-2 - Software Inventory PR.AC-1 - Identity and Access Management PR.DS-6 - Data Security DE.CM-3 - Monitoring and Detection RS.MI-2 - Incident Response

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.6.1.1 - Information security roles and responsibilities A.8.1.1 - User endpoint devices A.12.2.1 - Restrictions on software installation A.12.6.1 - Management of technical vulnerabilities

🔗 References & Sources 2

🔗

https://github.com/mullvad/mullvadvpn-app/commit/032fdcb927c0b6d3e5e1aba4140d33adf22a6bfb

security-advisories@github.com

Patch

🔗

https://github.com/mullvad/mullvadvpn-app/security/advisories/GHSA-c2g6-w5fq-vw3m

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

mullvad:mullvad_vpn

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-269

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-05-19

Source Feed nvd

🇸🇦 Saudi Risk Score

6.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-269

🏢 Vendor Advisories

🔗 https://github.com/mullvad/mullvadvpn-app/security/a...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-32323

Introduce Yourself

Sign In Required