CVE-2026-32323
Description
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mullvad VPN for macOS installer executes binaries from a writable path without verification, allowing local privilege escalation to root.
Vulnerability
Overview
CVE-2026-32323 is a local privilege escalation vulnerability in the Mullvad VPN installer for macOS, affecting versions 2026.1 and below. The root cause is that the installer's preinstall script executes binaries from /Applications/Mullvad VPN.app without verifying that the bundle is the legitimate Mullvad application or that the path has not been tampered with [1]. This allows a user in the admin group to pre-place a crafted application bundle at that location before the installer runs.
Exploitation
Prerequisites
An attacker must have local access to the system and be a member of the admin group. During an installation or upgrade triggered by the installer package, the preinstall script runs with root privileges and executes mullvad-setup from the unverified path. The attacker can replace the legitimate Mullvad VPN.app with a malicious bundle containing arbitrary executables [1]. The fix, introduced in version 2026.2-beta1, drops privileges by running the command as the nobody user before executing the binary [2].
Impact
Successful exploitation allows the attacker to achieve arbitrary code execution as root, gaining full control over the affected macOS system. Since the vulnerability is limited to the installer process, users already running an older version are not immediately at risk unless they perform an upgrade [1].
Mitigation
The issue is fixed in MullvadVPN-2026.2.pkg and above. Users are recommended to update to version 2026.2 or later. Users should avoid installing any version prior to 2026.2 [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2026.1
Patches
1032fdcb927c0Fix LPE using mullvad-setup in preinstall script
2 files changed · +6 −2
CHANGELOG.md+4 −0 modified@@ -35,6 +35,10 @@ Line wrap the file at 100 chars. Th #### macOS - GotaTun is now used as the WireGuard implementation. It replaces wireguard-go. +### Security +#### macOS +- Fix LPE in `preinstall` script that allowed administrator users to elevate themselves to `root`. + ## [2026.1-beta1] - 2026-02-23 ### Changed
dist-assets/pkg-scripts/preinstall+2 −2 modified@@ -22,8 +22,8 @@ exec > $LOG_DIR/preinstall.log 2>&1 echo "Running preinstall at $(date)" -# Stop the existing daemon -"$INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup" prepare-restart &>/dev/null || \ +# Stop the existing daemon. INSTALL_DIR is writeable by admins, so we drop privileges before executing mullvad-setup. +sudo -u nobody "$INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup" prepare-restart &>/dev/null || \ echo "Failed to send 'prepare-restart' command to old mullvad-daemon" # NOTE: This path must be kept in sync with the path defined
Vulnerability mechanics
Root cause
"The macOS installer preinstall script executes a binary from a user-writable path without verifying the authenticity of the application bundle, allowing an admin user to substitute a malicious bundle and escalate privileges to root."
Attack vector
An attacker who is a member of the admin group on macOS can place a crafted application bundle at `/Applications/Mullvad VPN.app` before the legitimate Mullvad installer runs. The installer's preinstall script [patch_id=443872] executes `mullvad-setup` from that path without verifying the bundle's origin or integrity. Because the script originally ran as root during installation, the attacker-controlled binary would execute with root privileges, achieving local privilege escalation. The CVSS vector (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) confirms the attack requires local access, low complexity, and user interaction (the admin user must trigger the install/upgrade).
Affected code
The vulnerable code is in `dist-assets/pkg-scripts/preinstall` [patch_id=443872]. The preinstall script, executed by the macOS installer package, directly invokes `"$INSTALL_DIR/Mullvad VPN.app/Contents/Resources/mullvad-setup" prepare-restart` without verifying the authenticity of the application bundle at that path. The `INSTALL_DIR` (typically `/Applications`) is writeable by admin users, making the path attacker-controllable.
What the fix does
The patch [patch_id=443872] changes the preinstall script to execute `mullvad-setup` via `sudo -u nobody`, dropping privileges to the unprivileged `nobody` user before running the binary. This closes the privilege escalation because even if an attacker has placed a malicious bundle at the target path, the injected code will run as `nobody` rather than as root. The commit message and changelog entry explicitly identify this as a fix for a local privilege escalation in the preinstall script on macOS.
Preconditions
- authAttacker must be a member of the macOS admin group.
- inputAttacker must place a crafted application bundle at /Applications/Mullvad VPN.app before the installer runs.
- networkNo network access required; the attack is purely local.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.