Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
High

User Session Mixup Race Condition in Citrix NetScaler ADC and NetScaler Gateway

IdentifiersCVE-2026-4368CWE-362· Concurrent Execution using Shared…

CVE-2026-4368 is a race condition vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can lead to user session mix-up. The issue affects appliances when configured as a Gateway, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy, or as an AAA virtual server. Reported affected builds specifically include NetScaler ADC and NetScaler Gateway 14.1-66.54 under those configurations. Successful triggering of the race condition can cause one user’s authenticated session context to be associated with another user, resulting in unintended session crossover and exposure of another user’s active session.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

The primary impact is unauthorized access to another user’s active authenticated session. This can expose sensitive information visible within that session and may grant unintended access to resources, applications, or actions available to the affected user. In practical terms, the flaw creates an access-control failure between concurrent users of the appliance’s gateway or AAA services, with potential confidentiality and integrity consequences depending on what the mixed-up session can access.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by restricting access to affected Gateway and AAA virtual server deployments using network-level controls such as IP allowlisting and limiting external reachability where operationally feasible. Identify exposed configurations by reviewing NetScaler configuration for gateway and AAA virtual server definitions, including strings such as "add authentication vserver ." and "add vpn vserver .". Because the issue affects session handling, organizations should also consider expiring active sessions after remediation as a precaution.

Remediation

Patch, then assume compromise.

Upgrade affected customer-managed NetScaler ADC and NetScaler Gateway appliances to a fixed version. The provided content states the issue was fixed in version 14.1-60.58 and that remediated 14.1 builds include 14.1-66.59 and later; administrators should follow Citrix advisory CTX696300 and the vendor release notes as the source of truth for the correct fixed build for their branch. Citrix-managed cloud services and Citrix-managed Adaptive Authentication were updated by the vendor.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Citrix SystemsNetscaler Adcapplication
Citrix SystemsNetscaler Gatewayapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity37

Community discussion across Reddit, Mastodon, and other social sources.