Mullvad VPN Patches Exit IP Fingerprinting Flaw That Let Sites Track Server-Switching Users
Mullvad VPN has begun deploying a server-side patch for a fingerprinting vulnerability that allowed websites to correlate user activity across different VPN servers, the company confirmed in a May 20 blog post.
The flaw affected users who regularly switched servers to separate their online activities — a privacy practice common among security-conscious VPN subscribers.
How the Vulnerability Worked
Mullvad distributes traffic across multiple public IP addresses on each server to make it harder for websites to block VPN users en masse.
The problem: the system assigned those IPs using a fixed, predictable formula tied to each user’s unique WireGuard key — the cryptographic identifier that authenticates a user’s device to the VPN network.
Because the assignment was deterministic rather than random, a user consistently received an IP at roughly the same relative position within each server’s address pool.
If someone landed near the 40th percentile on one server, they would land near the same position on another.
That consistent pattern gave websites a fingerprint — a way to infer that the same person had moved between different Mullvad servers, even without knowing their identity.
Company Response
Independent researcher tmctmt disclosed the issue publicly on May 14, 2026, and released a proof-of-concept estimator tool alongside the writeup.
Mullvad co-CEO Jan Frederik Stromberg responded on Hacker News, acknowledging that parts of the behavior were unintended and confirming the company had already started testing a fix.
He also said security researchers should notify companies before publishing their findings publicly.
Mullvad’s blog post stopped short of calling it a data-exposure event. The company said the vulnerability does not reveal a user’s identity — only the behavioral pattern of someone moving between servers.
Still, that distinction matters less for users who rely on server-switching specifically to prevent cross-session tracking.
The Fix
Mullvad introduced a new exit IP assignment method that randomizes position within the address pool and breaks the predictable link between a user’s WireGuard key and their assigned IP on any given server.
Because the change happens entirely on Mullvad’s infrastructure, users do not need to update the app.
As a short-term workaround, the company advised users to log out and log back into the official app before switching servers, which regenerates the WireGuard key and disrupts correlation.
Users who connect to a single server and do not switch locations are unaffected.
As of June 1, 2026, Mullvad confirmed the mitigation had begun rolling out across a subset of its servers, with a full server list published on its website.
Progress tracking remains available through a dedicated status page the company linked in its blog post.
Background
IP fingerprinting — using patterns in assigned network addresses to identify or track users — is a recognized technique that applies across multiple domains beyond VPNs, including ad-tech and browser-based tracking.
WireGuard, the open-source VPN protocol Mullvad uses, has gained wide adoption for its speed and lean codebase since its mainline inclusion in the Linux kernel in 2020.
