Overview
On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway. CVE-2026-3055 is classified as an out-of-bounds read with a CVSS score of 9.3, allowing unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.
Vulnerability Details
The flaw stems from insufficient input validation leading to a memory overread condition (CWE-125: Out-of-Bounds Read). It requires no authentication, no user interaction, and no special preconditions beyond one key configuration requirement — the appliance must be configured as a SAML Identity Provider (IDP).
Default configurations are unaffected. To determine if a device has been configured as a SAML IDP Profile, Citrix is urging customers to inspect their NetScaler configuration for the string: add authentication samlIdPProfile .*
Second Vulnerability — CVE-2026-4368
The second flaw, CVE-2026-4368 (CVSS 7.7), involves a race condition causing session mix-ups in appliances configured as Gateways (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual servers.
Affected Versions
CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.
Fixed Versions
- NetScaler ADC and NetScaler Gateway 14.1-66.59 and later
- NetScaler ADC and NetScaler Gateway 13.1-62.23 and later
- NetScaler ADC 13.1-FIPS / NDcPP 13.1-37.262 and later
Note: This advisory applies exclusively to customer-managed deployments. Citrix-managed cloud services and Adaptive Authentication instances have already been updated by Cloud Software Group.
Known Issue in Patched Build
Citrix identified a known issue in builds 14.1-66.54 and 14.1-66.59 affecting STA server binding configuration. When the STA server is configured using the full path (/scripts/ctxsta.dll), binding may fail, impacting authentication flows.
Exploitation Status
As of the advisory’s publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. The vulnerability was identified internally via security review. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public.
Historical Context
Security flaws in NetScaler devices have been repeatedly exploited by threat actors — CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775 — making timely patching imperative. watchTowr CEO Benjamin Harris noted that CVE-2026-3055 sounds suspiciously similar to Citrix Bleed and Citrix Bleed 2, which “continue to represent a trauma event for many.”
Interim Mitigations (per CERT-EU)
CERT-EU recommends restricting access to NetScaler Gateway and AAA virtual servers using network-level controls such as IP allowlisting until updates are deployed; applying the Global Deny List (GDL) mitigation which enables protection without a reboot; and taking snapshots of appliances before patching for potential post-exploitation forensic investigation.
