CVE-2026-32323

Source
https://cve.org/CVERecord?id=CVE-2026-32323
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32323.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32323
Aliases
  • GHSA-c2g6-w5fq-vw3m
Published
2026-05-19T00:23:23.143Z
Modified
2026-07-08T08:12:46.882012626Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Mullvad VPN for macOS: Local Privilege Escalation via unverified bundle path in installer
Details

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32323.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269",
        "CWE-345",
        "CWE-427"
    ]
}
References

Affected packages

Git / github.com/mullvad/mullvadvpn-app

Affected ranges

Type
GIT
Repo
https://github.com/mullvad/mullvadvpn-app
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:mullvad:mullvad_vpn:*:*:*:*:*:macos:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.2"
        }
    ]
}

Affected versions

2017.*
2017.1-alpha4
2017.1-alpha5
2017.1-beta1
2017.1-beta2
2017.1-beta3
2017.1-beta4
2018.*
2018.1-beta8
2018.1-beta9
2018.2-beta1
2018.2-beta2
2018.2-beta3
2018.3
2018.3-beta1
2018.4-beta1
2018.4-beta2
2018.6-beta1
2019.*
2019.10-beta1
2019.10-beta2
2019.2-beta1
2019.7
2019.7-beta1
2019.8
2019.8-beta1
2019.9
2019.9-beta1
2020.*
2020.4-beta1
2020.4-beta2
2020.5-beta1
2020.5-beta2
Other
allowed-ips
android/fix-devmole-google-play
ios-min-15
ios-min-17
android/2026.*
android/2026.1
android/2026.1-beta1
android/2026.1-beta2
android/2026.1-beta3
android/test-pre-beta-26.*
android/test-pre-beta-26.1
desktop/installer-downloader/0.*
desktop/installer-downloader/0.2.0
desktop/installer-downloader/0.3.0
desktop/installer-downloader/1.*
desktop/installer-downloader/1.0.0
desktop/installer-downloader/1.1.0
desktop/installer-downloader/1.2.0
ios-min-15.*
ios-min-15.0
ios/2020.*
ios/2020.1
ios/2020.2
ios/2020.3
ios/2020.4
ios/2020.5
ios/2021.*
ios/2021.1
ios/2021.2
ios/2021.3
ios/2021.4
ios/2022.*
ios/2022.1
ios/2022.2
ios/2022.3
ios/2022.3-build1
ios/2022.3-build2
ios/2023.*
ios/2023.1
ios/2023.1-build5
prepare-2025.*
prepare-2025.5-beta1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32323.json"