Citrix recently released security updates to address CVE-2026-3055, a critical out-of-bounds read vulnerability (CVSS 9.3) affecting NetScaler ADC and NetScaler Gateway appliances, allowing unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory.

Exploitation is configuration-dependent: the appliance must be configured as a SAML Identity Provider (SAML IDP). This constraint significantly shapes risk assessment but does not eliminate it—SAML IDP configurations are common in enterprise identity federation and single sign-on (SSO) deployments, particularly for cloud service integration.

As of the advisory's publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public, particularly given that Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including CVE-2023-4966 (CitrixBleed). Organizations must treat this as an urgent remediation priority.

Vulnerability Overview

CVE-2026-3055 (Primary Focus)

• CVE ID: CVE-2026-3055‍
• CVSS 4.0 Score: 9.3 Critical
• ‍CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L‍
• Vulnerability Type: Insufficient input validation leading to out-of-bounds read‍
• CWE: Out-of-bounds Read‍
• Affected Products: Citrix NetScaler ADC, Citrix NetScaler Gateway‍
• Configuration Requirement: SAML Identity Provider (SAML IDP) profile enabled‍
• Exploitation Status: No public PoC; no known in-the-wild exploitation (as of March 23, 2026)‍
• Advisory: CTX696300 (published March 23, 2026)‍
• Citrix-Managed Cloud: Already patched; customer-managed instances only are affected

Secondary Vulnerability: CVE-2026-4368

A companion vulnerability (CVE-2026-4368, CVSS 7.7) was also disclosed in the same advisory. This is a race condition leading to user session mixup affecting appliances configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers. This analysis focuses on CVE-2026-3055.

Affected Versions & Patches

CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262:

• Release Train: 14.1, Before 14.1-66.59, 14.1-66.59, Available
• Release Train: 13.1, Before 13.1-62.23, 13.1-62.23, Available
• Release Train: 13.1-FIPS, Before 13.1-37.262, 13.1-37.262, Available
• Release Train: 13.1-NDcPP, Before 13.1-37.262, 13.1-37.262, Available
• Release Train: Citrix-managed cloud, N/A, Already patched, N/A

What is Memory Overread?

A memory overread vulnerability occurs when an application reads beyond the intended boundaries of an allocated memory region. Unlike buffer overflows (which write to adjacent memory), overread vulnerabilities leak data that should remain isolated—typically credentials, session tokens, encryption keys, or application configuration details.

In the context of CVE-2026-3055, insufficient input validation in the SAML processing logic allows an attacker to craft malicious SAML requests that trigger out-of-bounds memory access. The leaked data is returned to the attacker as part of the application's response, effectively exposing sensitive information that the SAML IDP should never disclose.

Risk Profile: Why This Matters

Identity infrastructure is a high-value target. SAML IDPs act as trust anchors for enterprise authentication. They issue tokens, validate assertions, and manage identity federation across cloud services, SaaS applications, and third-party integrations. Compromise of a SAML IDP can lead to:

• Session token leakage: Attackers obtain valid tokens to impersonate users and access downstream applications.
• Credential exposure: Plaintext or insufficiently protected credentials stored in memory during SAML processing are disclosed.
• Application configuration leakage: Backend endpoint URLs, secrets, and policy rules may be recoverable from leaked memory.
• Lateral movement: Compromised tokens enable attackers to pivot into cloud services and SaaS platforms that trust the IDP.

This is not a remote code execution vulnerability. It is an information disclosure attack. The distinction matters operationally: the attacker does not gain direct shell access to the appliance, but they gain the authentication artifacts needed to impersonate legitimate users at scale.

Exposure Assessment

Who Is At Risk?

Primary risk: Organizations running Citrix NetScaler ADC or Gateway appliances configured as SAML IDPs. This includes:

• Enterprise environments using Citrix as a federation point for cloud services (Office 365, Salesforce, Workday, etc.)
• Organizations leveraging NetScaler for single sign-on (SSO) to internally hosted applications
• Hybrid environments where NetScaler bridges on-premises and cloud identity systems

Reduced risk: Default NetScaler configurations are unaffected. The SAML IDP feature must be explicitly configured. Organizations that have not configured a SAML IDP profile do not face risk from this vulnerability.

How to Determine Exposure

Citrix provides a simple detection method. Administrators should inspect the NetScaler configuration for the following string:

add authentication samlIdPProfile .*

If this string is present in the configuration, the appliance is configured as a SAML IDP and is vulnerable to CVE-2026-3055 until patched.

Action: SSH into your NetScaler appliance(s) and run:

show authentication samlIdPProfile

If output is returned (other than "No entries found"), the appliance requires immediate patching.

Exploitation Prerequisites

Based on Citrix's advisory, exploitation likely requires the following:

1. Network access to the vulnerable NetScaler appliance (typically management or SAML endpoint ports)
2. Crafted SAML request that triggers the memory overread condition
3. SAML IDP configuration must be active on the target appliance

The CVSS 9.3 score suggests no authentication is required and the attack vector is network-accessible—consistent with a direct, unauthenticated attack against publicly reachable SAML endpoints.

Patch and Mitigation Guidance

Immediate Actions (24-48 hour window)

1. Inventory all NetScaler appliances and verify which are configured as SAML IDPs using the detection method above.
2. Prioritize patching of affected systems. Citrix has released security updates available through Security Bulletin CTX696300.
3. Consult Citrix documentation for your specific NetScaler version and apply recommended patches immediately.

Short-Term Actions

• Review SAML IDP logs for unexpected requests or error patterns that may indicate exploitation attempts.
• Monitor for unusual memory consumption or service crashes following the detection window.
• If possible, restrict network access to SAML IDP endpoints to known, trusted clients.

Long-Term Hardening

• Implement network segmentation restricting access to NetScaler management and SAML endpoints.
• Deploy WAF rules (if available) to detect and block malformed SAML requests.
• Forward NetScaler logs to an external SIEM for anomaly detection.
• Schedule regular patching cycles and stay current with Citrix security advisories.

Threat Landscape Context

This vulnerability fits a troubling pattern. NetScaler devices have been repeatedly exploited by threat actors (CVE-2023-4966, aka Citrix Bleed, CVE-2025-5777, aka Citrix Bleed 2, CVE-2025-6543, and CVE-2025-7775), establishing NetScaler as a persistent target for initial access into enterprise networks.

The Citrix history matters. The similarity between CVE 2026-3055 and the previously exploited CitrixBleed2 flaw (CVE-2025-5777) might spur attackers to develop exploits sooner rather than later. Benjamin Harris, CEO and founder of watchTowr, told The Hacker News: "CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments. If it sounds familiar, it's because it is – this vulnerability sounds suspiciously similar to Citrix Bleed and Citrix Bleed 2, which continue to represent a trauma event for many."

"NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments. While the advisory just went live, defenders need to act quickly. Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely."

Identity systems are attractive targets because they:

• Are often exposed to the internet (for remote work and cloud integration)
• Contain high-value authentication and authorization data
• Provide a single point of leverage to compromise multiple downstream systems
• Are infrequently inspected at the forensic level

Organizations should treat any vulnerability affecting identity infrastructure with the highest urgency, and this one demands immediate action.

Detection and Monitoring

What to Monitor

In the absence of a public PoC, defenders should watch for:

• Unexpected SAML request patterns: Malformed assertions, oversized payloads, or requests with unusual XML structures
• Memory-related errors: Application crashes, segmentation faults, or excessive memory consumption following SAML processing
• Authentication anomalies: Valid-looking session tokens originating from unexpected sources or with unusual claims
• Configuration changes: Unintended modifications to SAML IDP profiles or security policies

Recommended Monitoring Approach

Forward NetScaler logs to your SIEM and create alerts for:

• SAML processing errors or exceptions
• Requests to SAML endpoints from unexpected source IP ranges
• Rapid, sequential requests that may indicate automated exploitation attempts

What We Know (and Don't Know)

Confirmed

• CVSS 9.3 score indicates high exploitability and severe impact
• Memory overread leading to information disclosure
• Configuration-dependent (SAML IDP required)
• Affects NetScaler ADC and Gateway products
• Citrix has released patches

Still Emerging

• Specific data types disclosed by the vulnerability (credentials vs. configuration vs. tokens)
• Exact CVSS vector (authentication requirement, attack complexity, scope)
• Exploitation difficulty or ease for threat actors
• Whether public PoC development is underway in security research community

We will update this analysis as additional technical details surface.

Recommended Actions — Priority Order

This is a high-priority remediation event. Patch immediately.

Immediate Actions (24-48 hour window)

1. DETECT — Run the detection command above to identify configured SAML IDP appliances in your environment:

show authentication samlIdPProfile

If output is returned (other than "No entries found"), the appliance is vulnerable and requires immediate patching.

2. PATCH — Upgrade to fixed versions immediately:

• NetScaler 14.1 → 14.1-66.59
• NetScaler 13.1 → 13.1-62.23
• NetScaler 13.1-FIPS/NDcPP → 13.1-37.262

3. MONITOR — Forward NetScaler logs to SIEM, create alerts for SAML processing anomalies and unexpected peering events.

4. HARDEN — Restrict network access to SAML endpoints and management interfaces using firewall allowlists.

If Compromise Is Suspected

• Capture forensic artifacts (memory dumps, logs, configuration backups) before patching
• Monitor for lateral movement indicators in downstream systems (Office 365, Salesforce, Workday, etc.)
• Review authentication logs for unexpected token usage patterns
• Engage incident response if compromise is confirmed