Back to threat alerts

Citrix NetScaler Vulnerabilities CVE-2026-3055 & CVE-2026-4368

A critical out-of-bounds (OOB) read vulnerability, identified as CVE-2026-3055, has been discovered in Citrix NetScaler ADC and NetScaler Gateway. The vulnerability allows unauthenticated attackers to remotely siphon sensitive data directly from the appliance's memory. A sibling vulnerability (CVE-2026-4368) was also identified, which can cause "session mixup," allowing low-privilege users to hijack high-privilege sessions.

Threat alert
March 26, 2026

CVE-2026-3055: Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread.  

CVE-2026-4368: Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup  

Because the vulnerability leaks raw memory, attackers can steal:

  • Active Session Tokens: Enabling attackers to impersonate users and completely bypass MFA.
  • Administrative Credentials: Granting full control over the NetScaler management plane.
  • SSL Private Keys: Resulting in the total loss of traffic confidentiality and requiring certificate re-issuance.

 

Critical Configurations
Risk is highest if your NetScaler is configured in the following roles:

  • SAML Identity Provider (IdP): Required for CVE-2026-3055. (inspect the NetScaler Configuration for the specified string: add authentication samlIdPProfile .*).
  • Gateway/AAA Virtual Server: Required for CVE-2026-4368. (Search config for vserver).

Vulnerable Versions

All managed on-premises and cloud instances must be upgraded to the following minimum firmware versions immediately:

 

  • NetScaler ADC and NetScaler Gateway versions 14.1, fixed in 14.1-66.59.
  • NetScaler ADC and NetScaler Gateway versions 13.1, fixed in 13.1-62.23.
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP, fixed in 13.1-37.262 (also referred to as 13.1.37.262 in the vendor advisory).

 

Versions 12.1 and 13.0 are End-of-Life (EOL) and will not receive patches. These must be migrated to a supported version immediately. Note: only customer-managed instances are affected, not cloud instances managed by Citrix

 

Advisory can be here

Recommendations

  • Businesses can use the NetScaler Console (formerly ADM) to identify impacted instances.
  • For instances that cannot be patched immediately, its recommended to deploy the Global Deny List signatures (available for specific 14.1 builds) as a virtual patch.
  • Execute firmware upgrades and prioritise internet-facing SAML IdPs.
  • Terminate all active sessions to invalidate any potentially stolen tokens currently in use by attackers.