CVE-2026-32323: CWE-427: Uncontrolled Search Path Element in mullvad mullvadvpn-app
CVE-2026-32323 is a vulnerability in Mullvad VPN versions 2026. 1 and below on macOS where the installer does not verify the legitimacy of the application bundle path. This allows a local user with admin privileges to place a malicious application bundle at /Applications/Mullvad VPN. app and potentially execute code as root during installation or upgrade. The issue affects only the installer, so users running older versions without reinstalling are not immediately at risk. The vulnerability has been fixed in version 2026. 2-beta1.
AI Analysis
Technical Summary
Mullvad VPN's macOS installer for versions 2026.1 and earlier fails to verify that the /Applications/Mullvad VPN.app bundle is legitimate before executing binaries from it. This uncontrolled search path element vulnerability (CWE-427) enables a local user in the admin group to pre-place a crafted application bundle at that location, potentially leading to local privilege escalation to root during installation or upgrade. The vulnerability is limited to the installer process and does not affect the running application. The issue is resolved in version 2026.2-beta1.
Potential Impact
A local attacker with admin privileges can exploit this vulnerability to execute arbitrary code with root privileges during the installation or upgrade of Mullvad VPN on macOS. This could lead to full system compromise. However, the vulnerability only affects the installer, so existing installations are not vulnerable unless reinstalled or upgraded using the affected installer.
Mitigation Recommendations
Users should upgrade to Mullvad VPN version 2026.2-beta1 or later to apply the fix. Since the vulnerability only affects the installer, users who do not reinstall or upgrade are not immediately at risk. No additional mitigation is required if not performing installation or upgrade. Patch status is confirmed fixed in version 2026.2-beta1.
CVE-2026-32323: CWE-427: Uncontrolled Search Path Element in mullvad mullvadvpn-app
Description
CVE-2026-32323 is a vulnerability in Mullvad VPN versions 2026. 1 and below on macOS where the installer does not verify the legitimacy of the application bundle path. This allows a local user with admin privileges to place a malicious application bundle at /Applications/Mullvad VPN. app and potentially execute code as root during installation or upgrade. The issue affects only the installer, so users running older versions without reinstalling are not immediately at risk. The vulnerability has been fixed in version 2026. 2-beta1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Mullvad VPN's macOS installer for versions 2026.1 and earlier fails to verify that the /Applications/Mullvad VPN.app bundle is legitimate before executing binaries from it. This uncontrolled search path element vulnerability (CWE-427) enables a local user in the admin group to pre-place a crafted application bundle at that location, potentially leading to local privilege escalation to root during installation or upgrade. The vulnerability is limited to the installer process and does not affect the running application. The issue is resolved in version 2026.2-beta1.
Potential Impact
A local attacker with admin privileges can exploit this vulnerability to execute arbitrary code with root privileges during the installation or upgrade of Mullvad VPN on macOS. This could lead to full system compromise. However, the vulnerability only affects the installer, so existing installations are not vulnerable unless reinstalled or upgraded using the affected installer.
Mitigation Recommendations
Users should upgrade to Mullvad VPN version 2026.2-beta1 or later to apply the fix. Since the vulnerability only affects the installer, users who do not reinstall or upgrade are not immediately at risk. No additional mitigation is required if not performing installation or upgrade. Patch status is confirmed fixed in version 2026.2-beta1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T21:16:21.661Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0bbb23ec166c07b029a35a
Added to database: 5/19/2026, 1:21:39 AM
Last enriched: 5/19/2026, 1:36:49 AM
Last updated: 5/19/2026, 3:41:00 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.