MALWAREBYTES Privacy VPN has undergone its first third‑party audit, released on 2 April 2026, with findings presented by the audit firm X41 D-Sec. The assessment of Malwarebytes Privacy VPN’s software identified 2 issues rated as Critical, 0 as High, 2 as Medium and 2 as Low, with severity levels assigned using the Common Vulnerability Scoring Standard.
According to X41 D-Sec’s final report, the systems demonstrated strong security overall and showed no evidence of user activity logging, while access to systems was tightly controlled and most vulnerabilities had already been addressed, including one critical issue; remaining items were in the process of being resolved.
The disclosure notes that Malwarebytes has already fixed one Critical vulnerability, two Medium vulnerabilities and one Low vulnerability, and is actively working to fix one remaining Critical vulnerability and one remaining Low vulnerability in the software stack.
The audit highlights two Critical issues: a 9.4 CVSS‑scored issue linked to Debian image verification during server setup, and a 9.3 CVSS‑scored issue related to PXE booting without cryptographic signatures, which Malwarebytes says it has addressed or is addressing.