Vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler Gateway

Summary

The UK National Cyber Security Centre (NCSC) has issued an alert regarding two recently disclosed vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway products. CVE-2026-3055 involves insufficient input validation in SAML IdP configurations leading to memory overread, while CVE-2026-4368 is a race condition affecting gateway and AAA virtual server configurations that can cause user session mixup. Citrix has released patched versions (14.1-66.59, 13.1-62.23, and 13.1-37.262), and the NCSC recommends UK organisations apply these updates immediately and verify their appliance configurations.

Full text

News Download & print article PDF Download & print article PDF Vulnerabilities affecting Citrix NetScaler ADC and Citrix NetScaler GatewayUK organisations encouraged to take immediate action to mitigate two recently disclosed vulnerabilities, CVE-2026-3055 and CVE-2026-4368, that affect Citrix NetScaler ADC and Citrix NetScaler Gateway. What has happened?Citrix has published a security bulletin detailing two vulnerabilities discovered in its NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products:CVE-2026-3055: Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overreadCVE-2026-4368: Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup Who is affected?Organisations using the following Citrix products on premises are affected:CVE-2026-3055:NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262Specific pre-conditions for this vulnerability:The appliance must be configured as a SAML identity provider (IdP).CVE-2026-4368:NetScaler ADC and NetScaler Gateway 14.1-66.54Specific pre-conditions for this vulnerability:The appliance must be configured either as a gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or a AAA virtual server.The vendor has advised that only customer-managed instances require remedial action to be taken. What should I do?The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, Citrix has released the following updated versions that should be installed as soon as possible:NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releasesNetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPPThe vendor has also released the following specific checks that organisations can perform to determine whether their appliances are configured in such a way that they would be vulnerable:CVE-2026-3055 Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string:Add authentication samlIdPProfile .*CVE-2026-4368Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified stringsAn Auth Server (AAA Vserver):add authentication vserver .*A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy):add vpn vserver .*Affected users should continue to monitor the Citrix security bulletin for any further updates. Further NCSC resourcesThe NCSC provides a range of free guidance, services and tools that help to secure systems.Follow NCSC guidance including vulnerability management and preventing lateral movement.UK organisations can sign up to the free NCSC Early Warning service to receive notifications of potential threats on your network.The NCSC Vulnerability Disclosure Toolkit helps organisations of all sizes with the essential components of implementing a vulnerability disclosure process. Share and print this article Download & print article PDF Download & print article PDF Share Share Close share options Share onFacebook Share onLinkedIn Share onX Copy Link PublishedPublish date 25 March 2026Written forWritten for Cyber security professionals Large organisationsNews type Alert Was this article helpful? Yes the article was helpful No the article was not helpful Close Feedback Form Back to top Share Close share options Share onFacebook Share onLinkedIn Share onX Copy Link Also see News Publish date 25 Feb 2026Exploitation of Cisco Catalyst SD-WANAgencies strongly encourage immediate investigation of potential compromise of Cisco Catalyst SD-WAN. Blog Post Publish date 10 Feb 2026Improving your response to vulnerability management How to ensure the ‘organisational memory’ of past vulnerabilities is not lost. News Publish date 15 Oct 2025Confirmed compromise of F5 network The NCSC is advising organisations to follow the guidance issued by F5 and to install the latest security updates.

Indicators of Compromise

• cve — CVE-2026-3055
• cve — CVE-2026-4368