Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

Summary

Citrix has released security updates addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway: CVE-2026-3055 (CVSS 9.3), an out-of-bounds read affecting SAML IDP-configured devices, and CVE-2026-4368 (CVSS 7.7), a race condition affecting gateway and AAA configurations. While no active exploitation has been reported, the flaws pose significant risk given NetScaler's history of exploitation (Citrix Bleed variants) and its role as a critical entry point for enterprise attacks.

Full text

Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks Ravie LakshmananMar 24, 2026Vulnerability / Enterprise Security Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application. The vulnerabilities are listed below - CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user session mixup Cybersecurity company Rapid7 said that CVE-2026-3055 refers to an out-of-bounds read that could be exploited by unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. However, for exploitation to be successful, the Citrix ADC or Citrix Gateway appliance must be configured as a SAML Identity Provider (SAML IDP), which means default configurations are unaffected. To determine if the device has been configured as a SAML IDP Profile, Citrix is urging customers to inspect their NetScaler Configuration for the specified string: "add authentication samlIdPProfile .*" CVE-2026-4368, on the other hand, requires the appliance to be configured as a gateway (i.e., SSL VPN, ICA Proxy, CVPN, and RDP Proxy) or an Authentication, Authorization, and Accounting (AAA) server. Customers can check the NetScaler Configuration to ascertain if their devices have been configured as either of the nodes - AAA virtual server - add authentication vserver .* Gateway - add vpn vserver .* The vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Users are advised to apply the latest updates as soon as possible for optimal protection. While there is no evidence that the shortcomings have been exploited in the wild, security flaws in NetScaler devices have been repeatedly exploited by threat actors (CVE-2023-4966, aka Citrix Bleed, CVE-2025-5777, aka Citrix Bleed 2, CVE-2025-6543, and CVE-2025-7775), making it imperative that users take steps to update their instances. "CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments. If it sounds familiar, it's because it is – this vulnerability sounds suspiciously similar to Citrix Bleed and Citrix Bleed 2, which continue to represent a trauma event for many," watchTowr CEO and founder Benjamin Harris told The Hacker News. "NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments. While the advisory just went live, defenders need to act quickly. Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Citrix, cybersecurity, Data Leakage, enterprise security, NetScaler, network security, Vulnerability Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• cve — CVE-2026-3055
• cve — CVE-2026-4368
• cve — CVE-2023-4966
• cve — CVE-2025-5777
• cve — CVE-2025-6543
• cve — CVE-2025-7775