
PEACH
Un cadre d’isolation des locataires
CVE-2026-4368 is a race condition vulnerability in Citrix NetScaler ADC and NetScaler Gateway that leads to User Session Mixup when the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It was published on March 23, 2026, and affects NetScaler ADC and Gateway versions prior to 14.1.66.54. The vulnerability is classified as CWE-362 (Race Condition) and carries a CVSS v4.0 base score of 7.7 (High) (Feedly, Citrix Advisory). It is disclosed alongside CVE-2026-3055, a critical out-of-bounds memory read affecting the same products.
The vulnerability is rooted in improper synchronization of concurrent execution using shared session resources (CWE-362 / CAPEC-26: Leveraging Race Conditions). When the NetScaler appliance processes simultaneous authentication or session establishment requests under Gateway or AAA virtual server configurations, a timing window allows session state to be incorrectly assigned between users — resulting in session mixup. Exploitation requires the attacker to have low-level authenticated access and the presence of specific race condition timing (Attack Requirements: PRESENT in CVSS v4.0), meaning it is not trivially automatable but is feasible under concurrent load conditions. Technical analysis has been published by Picus Security and Horizon3.ai in the context of the broader NetScaler vulnerability cluster dubbed "CitrixBleed 3" (Picus Security, Horizon3.ai).
Successful exploitation can result in high confidentiality, integrity, and availability impact on the vulnerable system (CVSS v4.0 VC:H/VI:H/VA:H). An authenticated attacker who wins the race condition may gain access to another user's active session, potentially exposing sensitive session tokens, credentials, or data transmitted through the VPN or proxy. This session mixup could enable lateral movement within enterprise networks by hijacking privileged user sessions, and may allow unauthorized actions to be performed on behalf of other authenticated users (Feedly, Picus Security).
Citrix has released a patched version — NetScaler ADC and NetScaler Gateway 14.1.66.54 — which addresses CVE-2026-4368 along with CVE-2026-3055. Administrators should upgrade to this version or later immediately. No configuration-based workaround has been publicly documented for CVE-2026-4368 specifically; the recommended remediation is to apply the vendor patch without delay. Multiple national CERTs (UK NCSC, Canadian CCCS, EU CERT, Irish NCSC, Singapore CSA, Belgian CCB, New Zealand NCSC) have issued urgent advisories urging immediate patching (Citrix Advisory, UK NCSC, BleepingComputer).
Citrix/NetScaler urged administrators to patch "as soon as possible," and the disclosure generated significant coverage across the security community, with multiple comparisons to the original CitrixBleed (CVE-2023-4966) incident (BleepingComputer, IT Security Guru). The Hacker News, BleepingComputer, Security Affairs, Infosecurity Magazine, and CSO Online all covered the disclosure, with CSO Online noting expert comparisons to CitrixBleed 2 in severity (The Hacker News, CSO Online). Rapid7, Horizon3.ai, Picus Security, and Qualys published technical analyses, and national CERTs across Europe, North America, and Asia-Pacific issued urgent advisories. Community sentiment on social media (Mastodon, Bluesky, Reddit) reflected high concern given the history of NetScaler exploitation (Rapid7, Qualys).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."