New security audit of account and payment services

Late last year X41 D‑Sec GmbH performed a white‑box source‑code audit of the Mullvad payment and account API and its supporting backend services.

The engagement covered the parts of the system that handle authentication, device provisioning, payment processing and the distribution of WireGuard keys.

Read the full audit report here.

What the audit found

The auditors identified five security‑relevant findings – two low‑severity and three medium‑severity issues – together with a number of informational notes. Importantly, none of the reported issues give an attacker the ability to access user data, nor do they weaken the privacy guarantees that Mullvad promises to its users.

The most notable issue is a voucher race condition that could let a single voucher be applied to multiple accounts. This affects billing only and does not expose any personal information.

Two of the medium findings were redacted to avoid publishing details that could cause availability issues. Those redactions do not hide any vulnerability that would compromise user privacy.

The remaining “informational” notes flag a variety of hardening opportunities – from improving mTLS usage across internal services to simplifying the Nginx configuration and signing the relay list – all of which we are looking into to further strengthen the overall security posture.

Redactions – why some details stay private

Four of the findings were redacted from the public version of the report. Those items describe potential ways of causing availability issues. They do not affect the confidentiality or integrity of customer data.

Looking back – the previous audit

This audit builds on the work presented in our earlier Security audit of account and payment services (2023). The current 2025 audit confirms that our account and payment service continues to hold up under close scrutiny, while also highlighting areas where modern best practices can be applied.