Critical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn

Summary

Citrix released security patches for CVE-2026-3055, a critical out-of-bounds read vulnerability in NetScaler ADC and Gateway that allows unauthenticated attackers to leak sensitive memory from SAML IDP deployments. Security researchers warn exploitation is imminent despite no current wild exploitation, citing similarities to previous CitrixBleed vulnerabilities. The flaw affects versions prior to 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262, and a second high-severity race condition (CVE-2026-4368) was also patched.

Full text

Citrix on Monday announced patches for a critical-severity vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could lead to sensitive memory leaks. The flaw is tracked as CVE-2026-3055 (CVSS score of 9.3) and is described as an out-of-bounds read issue impacting NetScaler deployments configured as a SAML Identity Provider (SAML IDP). “Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .*,” Citrix notes in its advisory. Fixes for the security defect were included in NetScaler ADC and NetScaler Gateway versions 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262. The security updates also resolve CVE-2026-4368, a high-severity race condition issue that could lead to ‘user session mixup’ if the appliances are configured as gateways or AAA virtual servers. The company says the critical vulnerability was discovered through its ongoing security reviews and makes no mention of either of the two flaws being exploited in the wild, but urges customers to apply the patches as soon as possible.Advertisement. Scroll to continue reading. According to security researchers, however, CVE-2026-3055 should not be treated lightly. In fact, watchTowr CEO and founder Benjamin Harris points out that the bug “sounds suspiciously similar to CitrixBleed and CitrixBleed2, which continue to represent a trauma event for many”. Harris also warns that the bug could allow unauthenticated attackers to leak and read sensitive memory from vulnerable deployments and that exploitation is likely to start soon. Pointing out that “there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available” now, Rapid7 also believes that attacks targeting CVE-2026-3055 could start as soon as exploitation code becomes public. The security firm also notes that the SAML IDP configuration required for successful exploitation is likely very common among organizations that use single sign-on. “NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments. Defenders need to act quickly. Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely,” Harris said. Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own Related: Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Related: Apple Debuts Background Security Improvements With Fresh WebKit Patches Related: Citrix Patches Exploited NetScaler Zero-Day Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain AttackQNAP Patches Four Vulnerabilities Exploited at Pwn2Own Tycoon 2FA Fully Operational Despite Law Enforcement TakedownEclypsium Raises $25 Million for Device Supply Chain SecurityNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public Disclosure Latest News Webinar Today: Putting CIS Controls and Benchmarks into Practice3.1 Million Impacted by QualDerm Data BreachIran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting ToolMazda Says Employee, Partner Information Stolen in CyberattackStryker Says Malicious File Found During Probe Into Iran-Linked AttackRSAC 2026 Conference Announcements Summary (Pre-Event)M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 SecondsChip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move7AI has appointed Israel Barak as its first Chief Information Security Officer.Brian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-3055
• cve — CVE-2026-4368