A newly disclosed critical vulnerability, CVE-2026-3055, affecting Citrix NetScaler appliances is already drawing attention from threat actors, with evidence of active reconnaissance efforts emerging shortly after its public disclosure.
The flaw, which carries a CVSS score of 9.3, highlights a serious security concern for organizations relying on NetScaler ADC and NetScaler Gateway, particularly those configured as a SAML IDP (SAML Identity Provider).
Understanding CVE-2026-3055 and Its Impact
The CVE-2026-3055 flaw is caused by insufficient input validation, leading to a memory overread vulnerability (classified under CWE-125: Out-of-bounds Read). This weakness can allow an unauthenticated attacker to access unintended portions of memory, potentially exposing sensitive data.
However, exploitation is not universally applicable across all deployments. According to the official advisory, successful attacks depend on a specific configuration: the affected Citrix NetScaler appliance must be set up as a SAML IDP. This requirement has shaped the behavior of threat actors, who are now actively scanning systems to identify those running in this particular mode.
This reconnaissance activity suggests attackers are attempting to determine whether a target environment meets the necessary preconditions before launching a full exploit.
Affected Versions and Technical Scope
The vulnerability impacts multiple versions of Citrix NetScaler ADC and NetScaler Gateway, including:
- Versions 14.1 before 14.1-60.58
- Versions 13.1 before 13.1-62.23
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262
In addition to CVE-2026-3055, the advisory also references another vulnerability, CVE-2026-4368, which involves a race condition leading to user session mix-ups. This secondary flaw carries a CVSS score of 7.7 and affects only version 14.1-66.54 under specific configurations such as Gateway services or AAA virtual servers.
Official Advisory Details and Timeline
The security bulletin, identified as CTX696300, provides comprehensive details about the vulnerabilities:
- Created Date: March 23, 2026
- Last Modified: March 27, 2026
- Severity: Critical
The advisory explicitly states that the “vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).” It further clarifies that CVE-2026-3055 was identified internally as part of ongoing security reviews aimed at strengthening product resilience.
Detection and Configuration Checks
Organizations can verify whether their Citrix NetScaler deployment is exposed to CVE-2026-3055 by inspecting configuration files for indicators of SAML IDP usage. Specifically, administrators should look for the following configuration string:
Add authentication samlIdPProfile .*
If present, the appliance is configured as an SAML IDP, making it potentially vulnerable if running an affected version.
Similarly, for CVE-2026-4368, administrators can check for:
- AAA virtual servers:
add authentication vserver .*
- Gateway configurations:
add vpn vserver .*
Mitigation and Recommended Actions
To address CVE-2026-3055, users of Citrix NetScaler are strongly advised to upgrade to patched versions as soon as possible. Recommended versions include:
- NetScaler ADC and Gateway 14.1-60.58
- 14.1-66.59 and later
- 13.1-62.23 and later
- 13.1-37.262 and later for FIPS and NDcPP builds
Customers are encouraged to move to supported versions that fully remediate the vulnerability rather than relying on temporary mitigations. It is also noted that the advisory applies specifically to customer-managed deployments. Cloud-managed services maintained by the vendor are updated automatically.
