Cyber Resilience

CVE-2026-32323

HighLPE

Published: 19 May 2026

Published
19 May 2026
Modified
22 May 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 1.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32323 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Mullvad Mullvad Vpn. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying…

more

if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.005 Executable Installer File Permissions Weakness Stealth
Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.
Why these techniques?

Vulnerability allows local admin to pre-place malicious bundle at predictable installer path (/Applications/Mullvad VPN.app), enabling root code execution via uncontrolled executable path during install/upgrade (CWE-427/345/269).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1993Shared CWE-269
CVE-2025-36640Shared CWE-269
CVE-2026-24072Shared CWE-269
CVE-2026-30902Shared CWE-269
CVE-2025-27644Shared CWE-269
CVE-2024-49742Shared CWE-269
CVE-2026-8955Shared CWE-269
CVE-2024-13376Shared CWE-269
CVE-2025-8218Shared CWE-269
CVE-2026-26416Shared CWE-269

Affected Assets

mullvad
mullvad vpn
≤ 2026.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

addresses: CWE-269

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

addresses: CWE-269

Implements core proper privilege management by restricting to only required rights.

addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

References