CVE-2026-32323: Mullvad VPN Privilege Escalation Flaw

CVE-2026-32323 Overview

CVE-2026-32323 is a local privilege escalation vulnerability in the Mullvad VPN client for macOS, affecting versions 2026.1 and below. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying that the bundle is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that path before running the installer. When the installer or upgrade process runs with elevated privileges, the attacker-controlled binary executes as root. The flaw is tracked under CWE-269: Improper Privilege Management and resolved in version 2026.2-beta1.

Critical Impact

An admin-group user on macOS can achieve code execution as root by planting a malicious bundle at /Applications/Mullvad VPN.app prior to installation or upgrade.

Affected Products

• Mullvad VPN for macOS versions 2026.1 and earlier
• Mullvad VPN installer package (pkg) preinstall script
• Fixed in Mullvad VPN 2026.2-beta1

Discovery Timeline

• 2026-05-19 - CVE-2026-32323 published to NVD
• 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-32323

Vulnerability Analysis

The Mullvad VPN macOS installer uses a preinstall script that stops the existing daemon by executing mullvad-setup from the install directory. The script invoked "$INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup" prepare-restart directly as root. Because /Applications is writeable by any user in the local admin group, the destination path is not a trusted location at install time. An attacker with admin-group membership can replace or pre-create the Mullvad VPN.app bundle with a malicious binary at Contents/Resources/mullvad-setup. When an administrator runs the installer or an upgrade, the rogue binary inherits root privileges from the installer context. This converts a low-privilege admin account into full root code execution.

Root Cause

The preinstall script trusted a file system path that non-root admin users can write to. The installer performed no signature verification, bundle authenticity check, or privilege drop before invoking the binary. This is a classic CWE-269 improper privilege management pattern combined with insecure path trust.

Attack Vector

Exploitation requires local access and admin-group membership, plus the user action of running the installer. The attacker stages a malicious Mullvad VPN.app bundle at /Applications/Mullvad VPN.app and waits for an upgrade or fresh install. When the preinstall script runs as root, it executes the attacker's mullvad-setup binary, granting root code execution.

# Patch diff from dist-assets/pkg-scripts/preinstall
 echo "Running preinstall at $(date)"
 
-# Stop the existing daemon
-"$INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup" prepare-restart &>/dev/null || \
+# Stop the existing daemon. INSTALL_DIR is writeable by admins, so we drop privileges before executing mullvad-setup.
+sudo -u nobody "$INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup" prepare-restart &>/dev/null || \
     echo "Failed to send 'prepare-restart' command to old mullvad-daemon"

Source: Mullvad VPN security patch commit 032fdcb. The fix drops privileges to the unprivileged nobody user before executing the binary from the attacker-writeable path.

Detection Methods for CVE-2026-32323

Indicators of Compromise

• Creation or modification of /Applications/Mullvad VPN.app/Contents/Resources/mullvad-setup by a non-root user prior to installer execution.
• Unsigned or ad-hoc signed binaries inside /Applications/Mullvad VPN.app that do not match the legitimate Mullvad code signature.
• Child processes spawned as root from the installer preinstall script that do not correspond to the official mullvad-setup binary.

Detection Strategies

• Monitor file system writes by non-root admin users to /Applications/Mullvad VPN.app outside of an active installer session.
• Audit installer and pkg script execution chains for child processes that deviate from expected Mullvad binaries.
• Verify the code signature of mullvad-setup against the Mullvad developer ID before any installer run.

Monitoring Recommendations

• Enable Endpoint Security Framework (ESF) telemetry on macOS to capture ES_EVENT_TYPE_NOTIFY_EXEC events tied to installer-owned parents.
• Alert on root-level execution originating from paths writeable by non-root users in /Applications.
• Track package installations and correlate them with prior file writes to the destination bundle path.

How to Mitigate CVE-2026-32323

Immediate Actions Required

• Upgrade the Mullvad VPN macOS installer to version 2026.2-beta1 or later before performing any new install or upgrade.
• Inspect /Applications/Mullvad VPN.app on managed macOS endpoints and verify the bundle's code signature matches Mullvad's legitimate Developer ID.
• Restrict membership in the local admin group to trusted accounts only, since exploitation requires admin-group privileges.

Patch Information

The issue is fixed in Mullvad VPN 2026.2-beta1. The patch wraps the mullvad-setup invocation with sudo -u nobody to drop privileges before executing a binary from a path writeable by admin users. Full details are available in the GitHub Security Advisory GHSA-c2g6-w5fq-vw3m and the upstream commit 032fdcb.

Workarounds

• Users already running an older Mullvad VPN version are not at immediate risk because the flaw is in the installer; defer upgrades until the patched installer is used.
• Before running the installer, delete or quarantine any existing /Applications/Mullvad VPN.app bundle that cannot be verified against Mullvad's signing identity.
• Run installations only from accounts and sessions where no untrusted admin user has had recent write access to /Applications.

# Verify the bundle signature before running the Mullvad installer
codesign --verify --deep --strict --verbose=2 "/Applications/Mullvad VPN.app"
spctl --assess --type execute --verbose "/Applications/Mullvad VPN.app"

# Remove a suspicious or unverifiable bundle prior to install/upgrade
sudo rm -rf "/Applications/Mullvad VPN.app"