Planned Fix
CVE-2026-4368
Session mix-up race condition in Citrix NetScaler ADC/Gateway
A race condition in NetScaler Gateway/session handling may cause user sessions to be mixed up under certain gateway or AAA configurations, potentially exposing sensitive data and impacting session integrity.
Last analyzed: Loading...
Type
Unknown
Auth Required
Unknown
PoC Available
No
Vendor
Citrix
Product
NetScaler ADC and NetScaler Gateway
Exposure
Internet-facing
Default Config
Unknown
CVSS Score
Not available
- Name
- Session mix-up race condition in Citrix NetScaler ADC/Gateway
- Summary
- A race condition in NetScaler Gateway/session handling may cause user sessions to be mixed up under certain gateway or AAA configurations, potentially exposing sensitive data and impacting session integrity.
- Vendor
- Citrix
- Product Name
- NetScaler ADC and NetScaler Gateway
- Product Description
- Application delivery controller (ADC) and gateway appliances that provide load balancing, remote access, authentication and SSL VPN capabilities for enterprise applications.
- Affected Versions
- Unknown (public details not disclosed)
- Affected Component
- Gateway/session handling component within Citrix NetScaler ADC and NetScaler Gateway vulnerable to a race condition causing session mix-ups.
- Component URLs
- Not available
- Protocol
- HTTPS
- Ports
- 44380
- Internet-facing Likelihood
- 60%
- Exposure Level
- Internet-facing
- Enterprise Usage
- 60%
- Type
- Unknown
- Impact
- Risk of session hijacking and unauthorized access to data due to race condition in session handling within NetScaler Gateway authentication flow.
- Exploitation Description
- Attacker may craft requests targeting a NetScaler Gateway or AAA virtual server to race the session initialization/validation paths, causing the appliance to swap or duplicate sessions; success would be observed as unexpected session/context changes and potential data exposure.
- Detection Method
- No
- Detection Method Types
- Not available
- Detection Method URLs
- Not available
- PoC Available
- No
- PoC URLs
- Not available
- Default Config Exploitable
- Unknown
- Exploitation Requirements
- Exposed NetScaler Gateway/AAA virtual server; vulnerable firmware version; network access to the affected appliance.
- Requirements URLs
- Not available
- Requirements Probability
- 60%
- Authentication Needed
- Unknown
- CVE ID
- CVE-2026-4368
- Description
- Race condition in Citrix NetScaler ADC and NetScaler Gateway session handling that can lead to session mix-ups when the appliance is configured with gateway or AAA virtual servers.
- CVSS Score
- Not available
- Published
- Not available
- Last Modified
- Not available
- CVSS Vector
- Not available
- Attack Vector (AV)
- Not available
- Attack Complexity (AC)
- Not available
- Privileges Required (PR)
- Not available
- User Interaction (UI)
- Not available
- Scope (S)
- Not available
- Confidentiality (C)
- Not available
- Integrity (I)
- Not available
- Availability (A)
- Not available
- CWE
- Not available
- CPE Configuration
- Not available
- Version From
- Not available
- Version UpTo
- Not available
- Remediation Type
- Not available
- Remediation Description
- No official remediation details publicly available as of now. Vendor guidance indicates upgrading NetScaler firmware to a fixed version once released; monitor Citrix advisories for an official patch.
- EPSS Score
- Not available
- EPSS Percentile
- Not available
- EPSS Last Updated
- Not available
- CISA KEV
- No
- CISA KEV Date Added
- Not available
- Active Exploitation
- No evidence
- Active Exploitation URLs
- Not available
- Threat Actors
- Not available
- Threat Actors URLs
- Not available
- IOCs
- Not available
- Detection Rules
- Not available
- Threat Hunting URLs
- Not available