# CVE-2026-4368

> Race condition vulnerability (CWE-362) in Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Under specific timing conditions during concurrent user authentication, the race condition causes one user's authenticated session context to be incorrectly associated with another user, enabling session hijacking and unauthorized access to another user's resources. Disclosed alongside CVE-2026-3055 (pre-auth memory overread, CVSS 9.3) in Citrix security bulletin CTX696300 on March 23, 2026. Only affects build 14.1-66.54 

- **CVSS:** 7.7 (HIGH)
- **EPSS:** 0.0%
- **CWE:** CWE-362

Canonical: https://intel.threadlinqs.com/cve/CVE-2026-4368
Full threat coverage + IOCs via the Threadlinqs MCP server (Purple tier): https://intel.threadlinqs.com/mcp