Mullvad VPN discloses fingerprinting flaw that could track users across servers – you may need to act now

Mullvad VPN has disclosed a fingerprinting vulnerability that could allow websites to link a user's activity across different VPN servers.

When a user switches servers, their exit IP address lands in a predictable position within the new server's IP range, allowing third parties to connect activity on the old server to the new one.

Fingerprinting identifies devices based on unique characteristics, without relying on cookies or login data. Here, the consistent positioning of exit IPs across servers creates a traceable pattern.

The flaw doesn't expose a user's real identity, but for those who switch servers specifically to separate their online sessions, it undermines that expectation. A fix is in testing.

Mullvad VPN is seen as a highly secure and private alternative to the best VPNs, and this an uncharacteristic issue. However, the quick response to its discovery is encouraging.

How the fingerprinting flaw works

Each Mullvad VPN server assigns users one exit IP from a range of addresses. Every device has a unique WireGuard encryption key tied to an internal tunnel address, and exit IPs are assigned based on that address' relative position in the server's range.

If that position is 40% on Server A, it will be approximately 40% on Server B. A website observing traffic across multiple servers could therefore infer the same user appeared on both.

Why Mullvad VPN's network design created the issue

Unlike most VPNs, Mullvad VPN operates a range of exit addresses per server to reduce overcrowding and avoid mass IP blocks, and it's this architecture that makes consistent positional assignment possible.

The issue was flagged by an independent security researcher on May 15. Mullvad VPN acknowledged the disclosure promptly and published a detailed technical breakdown on its blog.

What Mullvad VPN users should do now

For most users, no action is needed. The vulnerability only matters if you switch servers with the specific goal of separating your online sessions, and prevent linking your activity from one server to another.

If that applies to you, Mullvad VPN recommends:

• Open the Mullvad VPN app
• Log out of your account
• Log back in
• Connect to your new server

This regenerates your WireGuard key, breaking the pattern that enables fingerprinting. A permanent fix is in testing and will roll out server-side over the coming weeks, with no app update required.

Mullvad VPN has created a page for users to monitor the fixes as they happen.