Cyber Posture

CVE-2026-32323

HighLPE
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 19 May 2026

Published
19 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32323 is a high-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures
addresses: CWE-269

Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.

AC-13 Supervision and Review — Access Control
addresses: CWE-269

Access supervision ensures privileges are assigned and managed without improper escalation or retention.

AC-2 Account Management
addresses: CWE-269

Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management.

AC-25 Reference Monitor
addresses: CWE-269

Enforces proper privilege management by requiring all decisions through the verified reference monitor.

AC-5 Separation of Duties
addresses: CWE-269

By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process.

AC-6 Least Privilege
addresses: CWE-269

Implements core proper privilege management by restricting to only required rights.

AT-1 Policy and Procedures
addresses: CWE-269

Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.

AT-3 Role-based Training
addresses: CWE-269

Training covers proper privilege management practices, making incorrect privilege assignments less likely.

NVD Description

Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying…

more

if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-269CWE-345CWE-427

References