- Mullvad has started testing a fix for recently discovered IP fingerprinting issues
- The company confirmed that the bug does not reveal a user’s true identity
- The patch is expected to start rolling out in the coming weeks
Following the discovery of a minor network vulnerability earlier this month, Mullvad has begun testing a remediation to address an exit IP fingerprinting issue across its server fleet.
Last Friday, May 15, the privacy-focused provider became aware that its servers were mapping exit IP addresses in a highly predictable manner after a security researcher found this flaw during a security analysis. If a user hopped from one site to another, a mathematical quirk meant their sessions could be linked, compromising the anonymity of the server switch.
While this flaw never risked revealing your real one IP address or personal identity, it allowed websites to see that the same anonymous person who connected from Server A was now connecting from Server B.
Now Mullvad has designed a permanent fix to break this link. This ensures that its network’s privacy standards remain on par with the best VPN services on the market. The rollout is expected to begin in the coming weeks, and everyone can follow the update’s progress here.
The announcement comes as Mullvad co-founder and co-CEO Fredrik Strömberg was quick to acknowledge the problem, promising a fix for any unintended behavior and a reassessment of “whether the intended behavior is acceptable or not.”
We have reached out to Mullvad for further comment.
How the vulnerability works
Each Mullvad server hosts multiple users sharing a single exit IP. To handle heavy traffic, these servers use a wide range of exit addresses. When a user connects, their device uses a unique WireGuard key to encrypt the connection along with an internal tunnel address.
Because of how these internal addresses were handled, it was highly likely that a user who switched servers would be assigned an exit address with exactly the same relative position.
“When a user switches from one VPN server to another, this sometimes allows services such as websites to guess that the same user connecting from the new VPN server is the one connecting from the previous VPN server,” the company explained in its announcement.
On Friday, May 15, we became aware of a fingerprint issue affecting Mullvad users. We have a method that changes this behavior that is currently being tested, with plans to start rolling it out to our VPN servers in the coming weeks. Read more here:…20 May 2026
However, the company ensures that “this does not reveal the identity of the user.”
Mullvad also added that because multiple users share each exit IP, the bug won’t provide certainty, but “in many cases good guesses can be made.”
To permanently close the loophole, Mullvad is currently testing a new internal method of assigning exit IPs. The company confirmed that this upcoming patch “will not provide any information about which exit address is used on another VPN server or by another user on the same server.”
The update will be rolled out gradually over the coming weeks. Meanwhile, if your personal threat model requires absolute separation between server sessions, Mullvad recommends logging out and logging back into the app before switching servers. This action forces the app to generate a new WireGuard key and internal IP address.
A win for the wider ecosystem
Interestingly, Mullvad’s quick remedy will not only protect its direct customers. The patch will naturally benefit users of other privacy tools that rely on Mullvad’s server infrastructure as an exit node.
As Obscura founder Carl Dong noted in a post on X, because Obscura uses Mullvad’s network, this incoming anti-fingerprint patch will seamlessly pass downstream and actively support the privacy guarantees for users across multiple services.
