Mullvad VPN Local Privilege Escalation Vulnerability in macOS Installer

A local privilege escalation vulnerability has been identified in the Mullvad VPN installer for macOS, affecting versions through 2026.1. The issue arises because the installer executes binaries from the application directory without verifying the authenticity of the application bundle. This flaw allows a user with administrative privileges to place a malicious application bundle in the designated location, potentially leading to unauthorized code execution with root privileges.

Impact

Exploitation of this vulnerability could allow an administrator user to execute arbitrary code as the root user, potentially leading to full system compromise.

Reproduction

To reproduce this vulnerability, an administrator user can manually place a crafted application bundle into the '/Applications/Mullvad VPN.app' directory. Once the bundle is in place, the user can initiate the installation or upgrade process for Mullvad VPN. The installer will execute the binaries from the modified application bundle without proper validation, allowing for privilege escalation by executing malicious code as the root user.

Remediation

Users should update to Mullvad VPN version 2026.2 or later. Instructions for downloading the latest version are available on the Mullvad VPN website.