PatchSiren cyber security CVE debrief
CVE-2026-32323 mullvad CVE debrief
Published on 2026-05-19, CVE-2026-32323 affects Mullvad VPN on macOS versions 2026.1 and earlier. During installation or upgrade, the installer can execute binaries from /Applications/Mullvad VPN.app without first confirming that the bundle is legitimate or attacker-controlled. A user in the admin group may be able to pre-place a crafted application bundle at that path and obtain code execution as root. Mullvad says the issue is fixed in 2026.2-beta1 and notes that there is no immediate need to update if the vulnerable version is already installed, because the flaw is in the installer path rather than the running client.
- Vendor
- mullvad
- Product
- mullvadvpn-app
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-22
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-22
Who should care
macOS administrators, endpoint management teams, and users who install or upgrade Mullvad VPN on managed Macs. This matters most in environments where local users may influence the /Applications path or where software deployment workflows routinely run installers with elevated privileges.
Technical summary
The weakness is a macOS installer trust/path issue. The installer executes content from /Applications/Mullvad VPN.app without verifying that the bundle is the expected Mullvad application. In the described scenario, an admin-group user can place a crafted app bundle at that location before install or upgrade, which may let the installer run attacker-controlled code as root. The source metadata maps the issue to local attack conditions and references CWE-269, CWE-345, and CWE-427.
Defensive priority
High for systems that perform Mullvad VPN installation or upgrade on macOS. The issue is local and installer-scoped, so exposure is narrower than remote code execution, but the impact can be full root code execution during the affected workflow.
Recommended defensive actions
- Review macOS deployment and upgrade workflows for Mullvad VPN and confirm whether version 2026.2-beta1 or later is in use.
- If you install or upgrade Mullvad VPN on managed Macs, ensure /Applications/Mullvad VPN.app cannot be pre-populated or replaced by untrusted local users before installation.
- Prefer signed, verified installation packages and validate application bundle identity before any privileged post-install execution steps.
- Monitor admin-group access on Macs where software installation occurs, since the described attack requires a local user with that level of access.
- Track the vendor advisory and patch reference for any additional remediation guidance.
Evidence notes
Vendor advisory and patch references are provided by the source corpus: GitHub Security Advisory GHSA-c2g6-w5fq-vw3m and commit 032fdcb927c0b6d3e5e1aba4140d33adf22a6bfb. NVD marks the CVE as analyzed and lists the vulnerable macOS CPE range as ending before 2026.2. No KEV record is present in the supplied data.
Official resources
-
CVE-2026-32323 CVE record
CVE.org
-
CVE-2026-32323 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE published 2026-05-19 and modified 2026-05-22. Source corpus does not include a KEV listing.