Citrix NetScaler Flaw Could Leak Sensitive Data (CVE‑2026‑3055)

Citrix has released security updates for NetScaler ADC and NetScaler Gateway, addressing two vulnerabilities — including a critical flaw that could allow unauthenticated attackers to leak sensitive data from memory.

The Vulnerabilities

• CVE‑2026‑3055 (CVSS 9.3): Insufficient input validation → memory overread.
  • Exploitable by unauthenticated attackers.
  • Requires the appliance to be configured as a SAML Identity Provider (SAML IDP).
  • Default configurations are unaffected.
• CVE‑2026‑4368 (CVSS 7.7): Race condition → user session mix‑up.
  • Exploitable when configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA server.

Affected versions:

• NetScaler ADC/Gateway 14.1 before 14.1‑66.59
• NetScaler ADC/Gateway 13.1 before 13.1‑62.23
• NetScaler ADC 13.1‑FIPS and 13.1‑NDcPP before 13.1‑37.262

Why This Matters

• High‑value target: NetScaler appliances are critical for enterprise access and authentication.
• Similarity to Citrix Bleed: CVE‑2026‑3055 resembles past Citrix Bleed flaws (CVE‑2023‑4966, CVE‑2025‑5777), which were heavily exploited.
• Initial access risk: Attackers often target NetScaler for footholds into enterprise networks.
• Imminent exploitation likely: While no active exploitation has been confirmed yet, history suggests attackers will move quickly.

Defensive Recommendations

• Patch immediately: Upgrade to the latest fixed versions.
• Check configurations:
  • Look for add authentication samlIdPProfile .* to identify SAML IDP setups.
  • Look for add authentication vserver .* or add vpn vserver .* to identify AAA or Gateway setups.
• Reduce exposure: Limit internet‑facing NetScaler instances.
• Monitor logs: Watch for anomalies in authentication and session handling.
• Defense‑in‑depth: Treat NetScaler as critical infrastructure — segment, monitor, and harden accordingly.

Final Thought

NetScaler vulnerabilities have repeatedly been exploited in high‑profile breaches. CVE‑2026‑3055 and CVE‑2026‑4368 continue that trend, showing why patching identity and access infrastructure must be a top priority. Organizations running affected versions should act now — before attackers turn these flaws into the next Citrix Bleed‑style campaign.