Exploits

Citrix NetScaler Critical Flaw CVE-2026-3055: Patch Now

Published  ·  3 min read

Citrix has just released security updates addressing two vulnerabilities in its widely used NetScaler ADC and NetScaler Gateway products, including one critical flaw that could allow unauthenticated attackers to leak sensitive information from the appliance’s memory.

The more serious issue is CVE-2026-3055 (CVSS 9.3), described as an out-of-bounds read caused by insufficient input validation. Rapid7 and Citrix warn that this could let remote attackers read potentially sensitive data from memory,  a scenario that feels uncomfortably familiar to many security teams.

While there are similarities between the prior vulnerabilities to Citrix as per the CVE_ID numbers (CVE-2023-4966 and CVE-2025-5777) that have caused such great struggle for organizations all over the world, there is one critical difference, exploitation can only happen if the appliance has been purposely configured to be an SAML Identity Provider (SAML IDP). Any installation which has not been modified through configuration will not be exploited by this new CVE_ID number.

To check whether your device is vulnerable, Citrix recommends searching your configuration for this string: add authentication samlIdPProfile .*

The second flaw, CVE-2026-4368 (CVSS 7.7), is a race condition that can lead to user session mix-up. It only impacts appliances configured as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA server. You can verify this by looking for these configuration lines:
1. add authentication vserver .* (AAA virtual server)
2. add vpn vserver .* (Gateway)

Affected Versions


The vulnerabilities affect:
1. NetScaler ADC and Gateway 14.1 before build 14.1-66.59
2. NetScaler ADC and Gateway 13.1 before build 13.1-62.23
3. NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Citrix strongly recommends applying the latest patches as soon as possible. There is currently no evidence of active exploitation in the wild, but given NetScaler’s history of being heavily targeted (Citrix Bleed, Citrix Bleed 2, and others), the risk of rapid weaponization is high.

Benjamin Harris, CEO of watchTowr, put it plainly: “NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments… defenders need to act quickly.”

What You Should Do Right Now


1. Check your NetScaler configurations for SAML IDP or Gateway/AAA usage.
2. Update all critical systems with the newest released security patches as soon as possible (Version 14.1-66.59 or newer).
3. If your systems cannot be patched at this moment, the SAML IDP Functionality should be disabled temporarily if it is not needed by your organization.
4. Keep track of logs for any abnormal activities concerning authentication and memory utilization.

NetScaler Appliances operate at the edge of many corporations’ networks and thus are often the first point of contact for an attack. A memory leak similar to CVE-2026-3055 may appear limited but when exploited by experienced attackers, it may lead to a more extensive data breach.

If Citrix NetScaler ADC or Gateway exist in your environment; a necessary high priority security update.Better to spend an hour patching today than weeks dealing with the aftermath tomorrow.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067