Citrix has issued a security advisory disclosing two vulnerabilities in NetScaler ADC and NetScaler Gateway products that, if left unpatched, expose organizations to unauthenticated remote data leakage and authenticated session manipulation. The more severe of the two flaws, CVE-2026-3055, carries a CVSS v4.0 score of 9.3 and allows a remote, unauthenticated attacker to read sensitive data from the memory of a vulnerable appliance. A companion flaw, CVE-2026-4368, with a CVSS v4.0 score of 7.7, introduces a race condition capable of mixing active user sessions and enabling unauthorized access to another user's authenticated context.
CVE-2026-3055 is rooted in insufficient input validation during SAML authentication processing, triggering an out-of-bounds memory read. Because exploitation requires no authentication and no user interaction, and is reachable from the network without special privileges, the attack surface is broad for any appliance configured as a SAML Identity Provider. CVE-2026-4368 targets appliances operating as gateway or AAA virtual servers, exploiting a race condition in session management logic to cause session mix-up, potentially granting an attacker access to another user's application session.
Although Citrix has confirmed that neither vulnerability has been exploited in the wild as of the advisory publication date, the historical exploitation pattern for NetScaler vulnerabilities is instructive. Previous NetScaler flaws — including CVE-2023-4966 (CitrixBleed) and CVE-2025-5777, CVE-2025-6543, and CVE-2025-7775 — were rapidly weaponized after public disclosure and widely exploited by ransomware operators and nation-state actors. The combination of a critical CVSS v4.0 score, unauthenticated network reach, and a well-established attacker interest in NetScaler infrastructure makes imminent exploitation of CVE-2026-3055 likely once proof-of-concept code becomes publicly available.
CVE-2026-3055, with a CVSS v4.0 score of 9.3 (Critical), is an out-of-bounds read vulnerability affecting NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML Identity Provider. Caused by insufficient input validation that leads to memory overread, the flaw enables a remote, unauthenticated attacker to retrieve potentially sensitive data from appliance memory without any user interaction. Affected versions include NetScaler ADC and NetScaler Gateway 14.1 before build 14.1-66.59 and version 13.1 before build 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before build 13.1-37.262. Organizations can determine whether their appliances are exposed by checking the running configuration for the string "add authentication samlIdPProfile" using the Citrix CLI; appliances not configured as SAML IDPs are not affected by this specific vulnerability.
CVE-2026-4368, with a CVSS v4.0 score of 7.7 (High), is a race condition vulnerability affecting NetScaler ADC and NetScaler Gateway when the device is configured as a gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. When triggered, the race condition causes the appliance to associate an incoming connection with the wrong user session, potentially allowing one authenticated user to operate within the session context of another user. This class of session confusion vulnerability is particularly hazardous in environments where NetScaler serves as the authentication boundary for sensitive enterprise applications, remote access, or privileged administrative workflows. Configuration exposure can be assessed by searching for the strings "add authentication vserver" or "add vpn vserver" in the running configuration.
Organizations relying on NetScaler ADC or NetScaler Gateway as their primary remote access and application delivery infrastructure face direct operational risk from these vulnerabilities. CVE-2026-3055 enables unauthenticated attackers to exfiltrate data held in appliance memory, which may include session tokens, cryptographic material, credential fragments, or other sensitive information transiting the device. CVE-2026-4368 introduces a session hijacking risk in environments where the appliance serves as the gateway for remote workers, privileged administrators, or application users, creating conditions under which an attacker or an ordinary user could inadvertently or deliberately gain access to another user's authenticated session. The breadth of affected configurations — encompassing both common deployment patterns for enterprise SSL VPN and SAML identity brokering — means that a significant portion of organizations running NetScaler on-premises are likely within the vulnerable scope.
From a compliance perspective, organizations subject to NERC CIP, HIPAA, PCI DSS, SOC 2, or state-level data protection regulations must treat these vulnerabilities with heightened urgency. An unauthenticated memory read against a perimeter authentication appliance represents a potential breach of confidentiality controls required under virtually all recognized security frameworks. Session mix-up conditions on an authentication gateway directly implicate access control and accountability requirements. Organizations that process protected health information, cardholder data, or operationally sensitive industrial control system credentials through NetScaler should document their patch response timeline as part of their audit and compliance obligations.
Citrix has released patched builds that address both CVE-2026-3055 and CVE-2026-4368. Organizations should take the following actions immediately:
1. Upgrade NetScaler ADC and NetScaler Gateway version 14.1 to build 14.1-66.59 or later.
2. Upgrade NetScaler ADC and NetScaler Gateway version 13.1 to build 13.1-62.23 or later.
3. Upgrade NetScaler ADC 13.1-FIPS and 13.1-NDcPP to build 13.1-37.262 or later.
4. Audit appliance configurations to determine whether the SAML IDP or gateway/AAA virtual server configurations are active, using the Citrix CLI commands "show run | grep samlIdPProfile" and "show run | grep vserver," and prioritize patching for exposed appliances.
5. Review firewall and access control policies to confirm that management interfaces are not reachable from untrusted networks as a defense-in-depth measure during the patching window.
6. Monitor Citrix support channels and CISA's Known Exploited Vulnerabilities catalog for any updates indicating active exploitation, and be prepared to accelerate incident response activities if exploitation is confirmed.
Organizations that are unable to patch immediately should consider whether NetScaler appliances configured as SAML IDPs can be temporarily reconfigured to remove that functionality until patching is completed, accepting the operational impact of reduced SAML-based authentication availability during the maintenance window.
1898 & Co. maintains continuous visibility into the critical infrastructure vulnerability landscape and actively monitors disclosures from Citrix, CISA, and NVD for vulnerabilities affecting perimeter authentication and application delivery platforms. Our Cyber Threat Intelligence team tracks historical exploitation patterns for NetScaler vulnerabilities and provides advisory guidance to clients operating these platforms in both IT and OT-adjacent environments, where NetScaler appliances frequently serve as the network demarcation point for remote access to industrial control system networks.
Our security engineering team assists clients in assessing NetScaler deployment configurations, validating patch application through authenticated scanning and configuration review, and implementing compensating controls during patch windows when immediate upgrades are operationally constrained. 1898 & Co. has direct experience supporting clients through prior critical NetScaler incidents, including the widespread CitrixBleed (CVE-2023-4966) exploitation campaign, and applies those lessons to accelerate and de-risk current vulnerability response engagements.
1898 & Co. is prepared to assist clients in assessing their NetScaler exposure, executing emergency patching, conducting post-patch validation, and reviewing authentication architecture to reduce future attack surface. Organizations that rely on NetScaler for OT remote access or as a SAML broker for industrial application environments should treat this advisory with the same urgency applied to safety-critical system patching and contact our team for prioritized assessment support.
1. Citrix Security Bulletin CTX696300 — NetScaler ADC and NetScaler Gateway Vulnerabilities
4. CERT-EU Security Advisory 2026-003 — Multiple Vulnerabilities in Citrix NetScaler and Citrix ADC