- Mullvad has started testing a fix for recently encountered IP fingerprinting issues
- The company confirmed that the error does not reveal the user’s true identity.
- The patch is expected to begin rolling out in the coming weeks.
Following the discovery of a minor network vulnerability earlier this month, Mullvad has begun testing a mitigation to address an outbound IP fingerprinting issue across its entire server fleet.
Last Friday, May 15, the privacy-focused provider realized that its servers were mapping outbound IP addresses in a highly predictable manner after a security researcher found this flaw during a security scan. If a user jumped from one location to another, a mathematical quirk meant their sessions could be linked, compromising the anonymity of the server switch.
While this flaw never ran the risk of exposing your true IP address, or personal identity, allowed websites to see that the same anonymous person who was connecting from Server A was now connecting from Server B.
Now, Mullvad has designed a permanent solution to sever this link. This ensures that your network’s privacy standards remain on par with the best VPN services on the market. The rollout is expected to begin in the coming weeks and anyone can follow the progress of the update here.
The announcement comes as Mullvad co-founder and co-CEO Fredrik Strömberg quickly acknowledged the problem and promised a fix for any unintended behavior and a re-evaluation of “whether the intended behaviors are acceptable or not.”
We have approached Mullvad for further comment.
How vulnerability works
Each Mullvad server hosts multiple users sharing a single output IP. To handle heavy traffic, these servers use a wide range of output addresses. When a user connects, their device uses a unique WireGuard key to encrypt the connection, along with an internal tunnel address.
Because of how these internal addresses were processed, it was very likely that a user who changed servers would be assigned an output address with exactly the same relative position.
“When a user switches from one VPN server to another, this sometimes makes it possible for services like websites to confidently guess that the same user who connected from the new VPN server is the one who connected from the old VPN server,” the company explained in its announcement.
On Friday, May 15, we learned of a fingerprint issue affecting Mullvad users. A method that changes this behavior is currently being tested and we plan to begin rolling it out to our VPN servers in the coming weeks. Read more here:…May 20, 2026
The company assures, however, that “this does not reveal the identity of the user.”
Mullvad also added that because each output IP is shared by multiple users, the failure will not provide certainty, but “in many cases good guesses can be made.”
To permanently close the loophole, Mullvad is currently testing a new internal method for assigning outbound IPs. The company confirmed that this upcoming patch “will not provide information about which egress address is used on another VPN server or by another user on the same server.”
The update will be rolled out gradually over the next few weeks. Meanwhile, if your personal threat model requires absolute separation between server sessions, Mullvad recommends logging out and logging back into the application before switching servers. This action forces the application to generate a new WireGuard key and an internal IP address.
A victory for the broader ecosystem
Interestingly, Mullvad’s quick solution will not only protect its direct customers. The patch will natively benefit users of other privacy tools that rely on Mullvad server infrastructure as an exit node.
As Obscura founder Carl Dong noted in a post on
