CVE-2026-4368

Race Condition leading to User Session Mixup

Basic Information

CVE State: PUBLISHED
Reserved Date: March 18, 2026
Published Date: March 23, 2026
Last Updated: May 10, 2026
Vendor: NetScaler
Product: ADC, Gateway
Description: Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup

CVSS Scores

CVSS v4.0

7.7 - HIGH

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-03-31 10:46:28 UTC) Source

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-03-31 10:46:28 UTC

Timeline

CVE ID Reserved

March 18, 2026
CVE Published to Public

March 23, 2026
Added to KEVIntel

March 31, 2026