Citrix has issued critical security updates to address two vulnerabilities impacting its NetScaler ADC and NetScaler Gateway products. The most severe, rated critical, could allow unauthenticated attackers to gain access to and leak sensitive data from the application. These vulnerabilities underscore the ongoing threat landscape for enterprise security solutions.
The two disclosed vulnerabilities are designated CVE-2026-3055 and CVE-2026-4368. CVE-2026-3055 carries a CVSS score of 9.3, indicating its critical severity, and stems from insufficient input validation leading to a memory overread. CVE-2026-4368, with a CVSS score of 7.7, is attributed to a race condition that could result in user session mix-ups.
Citrix Addresses Critical NetScaler Vulnerabilities
According to cybersecurity firm Rapid7, CVE-2026-3055 represents an out-of-bounds read flaw. This could be exploited by remote attackers without authentication to expose potentially sensitive information residing in the appliance’s memory. Successful exploitation, however, is contingent on the Citrix ADC or Citrix Gateway appliance being configured as a SAML Identity Provider (SAML IDP).
Citrix has advised its customers to verify their NetScaler configurations for the presence of the string “add authentication samlIdPProfile .*” to determine if their devices are operating as a SAML IDP profile. Devices with default configurations are not considered vulnerable to this specific flaw.
Understanding the Exploitation Conditions
In contrast, CVE-2026-4368 requires the appliance to be configured as a gateway, which encompasses services like SSL VPN, ICA Proxy, CVPN, and RDP Proxy, or as an Authentication, Authorization, and Accounting (AAA) server. Administrators can check their NetScaler configurations for specific commands to identify if their devices meet these criteria.
The vulnerable versions of NetScaler ADC and NetScaler Gateway include versions 14.1 prior to build 14.1-66.59 and versions 13.1 before build 13.1-62.23. Additionally, NetScaler ADC 13.1-FIPS and 13.1-NDcPP versions older than build 13.1-37.262 are also affected. Users are strongly urged to apply the latest security updates to ensure comprehensive protection.
While there is currently no reported evidence of these specific vulnerabilities being exploited in the wild, security flaws in NetScaler devices have a history of being targeted by threat actors. Notable past incidents include CVE-2023-4966 (Citrix Bleed), CVE-2025-5777 (Citrix Bleed 2), CVE-2025-6543, and CVE-2025-7775, all of which saw active exploitation. This history emphasizes the imperative for users to promptly update their systems.
Benjamin Harris, CEO and founder of watchTowr, commented on the implications of CVE-2026-3055, noting its resemblance to previous significant vulnerabilities like Citrix Bleed. He highlighted that NetScaler devices are frequently targeted for initial access into enterprise networks. Harris stressed the need for immediate action from defenders, anticipating a high likelihood of imminent exploitation.
The immediate next step for organizations utilizing NetScaler ADC and NetScaler Gateway is to assess their current configurations, identify potentially affected versions, and apply the released security updates. The ongoing targeting of these critical infrastructure components by malicious actors necessitates a proactive and vigilant approach to enterprise security management.