"In conclusion, the reviewed scope appears to be on a good security level compared to systems of similar size and complexity." — Independent review confirms Mullvad’s strong privacy protections

(Image credit: Getty Images)

A new audit has found no critical flaws in Mullvad’s account and payment systems
Only minor issues were identified, with no impact on user privacy
Results underscore Mullvad’s transparency-first approach

In late 2025, Mullvad, one of the best VPN services for privacy, commissioned a comprehensive security audit of its account and payment services to prove the robustness and integrity of these critical backend systems.

X41 D-Sec’s audit reviewed Mullvad components that manage user authentication, device provisioning, payment processing, and distribution of WireGuard keys, all of which are core pieces that help keep Mullvad’s VPN service secure for subscribers.

The publicly released results confirm the platform’s security, with X41 identifying five security-relevant issues: three medium-severity and two low-severity.

Importantly, none of the issues allowed attackers to access user data or otherwise weaken Mullvad’s privacy guarantees.

What the audit found – and what it didn’t

The audit by German security firm X41 D-Sec focused specifically on Mullvad’s account and payment infrastructure.

This included APIs responsible for account creation, authentication, device management, voucher redemption, and WireGuard key distribution. Carried out as a white-box assessment, the review gave auditors full access to source code, configurations, and system architecture.

X41 identified a total of five security-relevant findings, three of which were rated as medium severity and two as low severity. None of these issues enabled unauthorized access to user accounts or exposed personal data, nor did they weaken Mullvad’s privacy model.

The most notable issue was a race condition in voucher handling that could allow a voucher to be redeemed more than once under specific circumstances.

Some report findings were redacted to prevent potential service disruptions. In addition to vulnerabilities, the auditors provided informational recommendations aimed at further hardening the system.

These included improved internal authentication mechanisms and configuration simplifications.

What this means for Mullvad users

Mullvad has itself reiterated that the audit confirms the strength of its account and payment infrastructure, building on work undertaken following a previous audit in 2023.

The audit reflects Mullvad’s ongoing commitment to transparency and proactive security practices – something the company has upheld through regular external reviews of its backend systems and apps, as well as its no-logs policy.

Indeed, previous audits have also reported robust security with only minor issues identified before being promptly addressed.

For current and would-be Mullvad users, these results reinforce Mullvad’s reputation as a privacy-first VPN provider that not only promises strong data protections but backs up those promises through meaningful third-party evaluation.

Mark is a Tech Security Writer for TechRadar and has been published on Comparitech and IGN. He graduated with a degree in English and Journalism from the University of Lincoln and spent several years teaching English as a foreign language in Spain. The Facebook-Cambridge Analytica data scandal sparked Mark’s interest in online privacy, leading him to write hundreds of articles on VPNs, antivirus software, password managers, and other cybersecurity topics. He recently completed the Google Cybersecurity Certificate, and when he's not studying for the CompTIA Security+ exam, Mark can be found agonizing over his fantasy football team selections, watching the Detroit Lions, and battling bugs and bots in Helldivers 2.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.