Review of Mullvad VPN API

X41 performed a white box penetration test with source code access against Mullvad VPN AB’s public API and connected services. In 2024, X41 already conducted an audit of the client applications. After good feedback from Mullvad VPN AB and the larger community, formulating a light threat model was again included in the efforts.

Full report of the security audit: https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2026-01-20.pdf

Mullvad’s previous audits can be found at: https://github.com/mullvad/mullvadvpn-app/tree/main/audits

The scope included the public API as well as various services that are responsible for distributing WireGuard keys to relays or processing payments. The tests were performed on the development infrastructure provided by Mullvad VPN AB. Part of the test was conducted on-site, in Gothenburg, Sweden.

Results

A total of five vulnerabilities were discovered during the test by X41.

Overall, the Mullvad API appears to have a high security level and is well-positioned to protect from the threat model in our report. The practice of conducting regular audits and using the findings to inform design choices has led to a hardened environment.

The most serious vulnerability allowed an attacker to use a single voucher code to fund multiple accounts. Two vulnerabilities were uncovered which may impact the availability of the API. X41 agreed to redact these issues from the public report (as well as two informational issues), as they have no impact on user’s data and may only help potential attackers to cause Denial of Service conditions. The last two vulnerabilities only have had limited impact and high initial barriers. The technical details may be found in the report.

In conclusion, the API and services only showed a small number of vulnerabilities, of which only one had a very limited impact on users of the service. Mullvad VPN AB addressed these vulnerabilities swiftly and the fixes were audited to be working properly.

X41 would like to thank Mullvad VPN AB for the hospitality and smooth communication throughout the audit!