Mullvad VPN discloses fingerprinting flaw that could track users across servers – you may need to act now

(Image credit: Kenneth Cheung / Getty Images)

Mullvad VPN has disclosed a fingerprinting vulnerability that could allow websites to link a user's activity across different VPN servers.When a user switches servers, their exit IP address lands in a predictable position within the new server's IP range, allowing third parties to connect activity on the old server to the new one.On Friday the 15th of May, we became aware of a fingerprinting issue affecting Mullvad users. We have a method which changes this behaviour currently being tested, with plans to begin rolling it out to our VPN servers in the coming weeks. Read more here:…May 20, 2026How the fingerprinting flaw worksEach Mullvad VPN server assigns users one exit IP from a range of addresses. Every device has a unique WireGuard encryption key tied to an internal tunnel address, and exit IPs are assigned based on that address' relative position in the server's range.If that position is 40% on Server A, it will be approximately 40% on Server B. A website observing traffic across multiple servers could therefore infer the same user appeared on both.Why Mullvad VPN's network design created the issueUnlike most VPNs, Mullvad VPN operates a range of exit addresses per server to reduce overcrowding and avoid mass IP blocks, and it's this architecture that makes consistent positional assignment possible.The issue was flagged by an independent security researcher on May 15. Mullvad VPN acknowledged the disclosure promptly and published a detailed technical breakdown on its blog.What Mullvad VPN users should do now