Mullvad VPN Fingerprinting Issue Explained
What happened, what did not leak, and what users should do
Mullvad has confirmed an exit IP fingerprinting issue that could let websites make a stronger-than-normal guess that the same anonymous VPN user had moved from one Mullvad server to another. That sounds alarming, but the important detail is this: the issue was about linking VPN sessions, not revealing a customer’s home IP address or real-world identity.
Quick Verdict
Not a disaster, but a useful privacy warning
This Mullvad issue is best described as a linkability problem. A website could potentially connect the dots between one Mullvad exit server and another, especially if the user switched servers while keeping the same internal tunnel address. That does not mean the website suddenly knew the person’s name, home broadband IP, payment details or device location.
What Happened?
Mullvad said it became aware of the fingerprinting issue on 15 May 2026 and published its own explanation on 20 May 2026. The short version is that switching from one Mullvad server to another could, in some cases, leave enough of a pattern for websites to guess that both visits came from the same anonymous VPN user.
The problem sat in how exit IPs were assigned. VPN servers normally have a pool of exit addresses, because many people use the same server at once. In this case, a user moving between different servers could end up with an exit address in a similar relative position within each server’s exit IP range.
Plain English version: changing servers did not always create as clean a break between sessions as privacy-conscious users would expect.
Did This Leak Real IP Addresses?
Based on Mullvad’s disclosure, this was not a traditional VPN leak. A real IP leak would mean a website could see the user’s actual home, mobile or workplace IP address instead of the VPN server address. That is not what Mullvad described.
The risk was more subtle. A website could potentially say: “The anonymous visitor who appeared from Server A now looks like the anonymous visitor appearing from Server B.” For everyday browsing, that may not matter much. For people using server changes to separate identities or sessions, it matters more.
| Question | Answer | Why It Matters |
|---|---|---|
| Was the real IP exposed? | No evidence from the disclosure | The issue did not appear to reveal the user’s home connection. |
| Could activity be linked? | Sometimes, yes | That weakens the privacy value of switching VPN servers. |
| Was identity revealed? | Not directly | The concern was anonymous session correlation, not identification. |
How The Fingerprinting Worked
Mullvad uses WireGuard, where each device has a key used for the encrypted VPN connection. There is also an internal tunnel address. Under the affected behaviour, if the same internal tunnel address was used when moving between servers, the exit IP assignment could follow a predictable pattern.
A simple way to picture it
Imagine Server A has a row of exit IPs and your traffic exits around 40% of the way through that row. You then switch to Server B. If your traffic again exits around 40% of the way through Server B’s row, a website watching both visits has a clue. It still may not be certain, because many users can share exit addresses, but it is more information than a privacy-focused VPN user would want to leak.
This is why the issue is called fingerprinting. It is not fingerprinting your browser screen size, fonts or hardware. It is a network-level pattern that can make two otherwise anonymous VPN sessions look related.
Who Should Care Most?
Not every VPN user has the same risk profile. For someone using a VPN on public Wi-Fi, this is probably not the issue that keeps them up at night. For someone deliberately changing VPN servers to split identities, sessions or activity trails, it deserves attention.
- Low concern: casual users who mainly want safer public Wi-Fi and a visible IP different from their home connection.
- Medium concern: users who frequently switch locations and expect each server change to reduce tracking.
- Higher concern: journalists, activists, researchers, whistleblowers, sensitive workers or anyone whose threat model depends on strict separation between sessions.
The key question is not “Do I use Mullvad?” It is “Do I rely on server switching to make one browsing session hard to connect with another?”
What Mullvad Is Doing About It
Mullvad says it is changing the method used to assign exit IP addresses. The goal is that the exit address used on one VPN server should not reveal useful information about the exit address used on another server, or by another user on the same server.
TechRadar reported that Mullvad had started testing a mitigation and that deployment was expected to begin across VPN servers in the coming weeks. That makes this a live patching story rather than a theoretical blog debate.
Mullvad publicly explained the issue, gave interim user advice, and said a fix was being tested. That transparency is a positive sign, but privacy-focused users should still check rollout progress before assuming the issue is fully closed.
What Mullvad Users Should Do
Mullvad’s temporary advice is simple: if you switch servers specifically to prevent activity on one server being linked to activity on another, log out and log back into the Mullvad app before switching servers. That regenerates the WireGuard key and changes the internal IP address.
- Check your threat model: casual browsing and high-risk compartmentalisation are not the same thing.
- Use Mullvad’s workaround when needed: log out and back in before switching servers if session separation matters.
- Watch for rollout updates: do not assume every server has been patched until Mullvad says the rollout is complete.
- Remember browser tracking: cookies, logins and browser fingerprints can still link you even when the VPN behaves perfectly.
- Test your visible IP: after changing VPN settings, confirm what websites can actually see.
After changing VPN servers, check your visible IP and confirm your VPN tunnel is active.
FAQs
Was Mullvad hacked?
No. The public information describes a networking and exit IP assignment issue, not a breach of Mullvad’s systems or a theft of user records.
Did this reveal users’ real IP addresses?
Mullvad says the issue did not reveal the identity of the user. The concern was that websites could sometimes guess that the same anonymous VPN user had moved from one server to another.
Should I stop using Mullvad?
Not necessarily. For many users, this is a narrower privacy concern rather than a deal-breaker. If your threat model depends on strong separation between VPN sessions, follow Mullvad’s temporary workaround and monitor the patch rollout.
What is exit IP fingerprinting?
Exit IP fingerprinting is when patterns in the VPN exit address make sessions easier to correlate. In this case, the concern was that a user could appear in a similar relative position across different Mullvad server IP ranges.
Can websites still track me even with a VPN?
Yes. A VPN hides your real IP address from websites, but it does not automatically block cookies, account logins, browser fingerprinting, payment trails or behaviour-based tracking.
Sources
- Mullvad: Exit IP fingerprinting between VPN servers — published 20 May 2026.
- TechRadar: Mullvad to patch VPN fingerprinting issue — published 21 May 2026.