Citrix Urges Immediate Patching for Critical NetScaler Vulnerabilities
Citrix has released patches for two vulnerabilities in NetScaler ADC and Gateway, including a critical out-of-bounds read (CVE-2026-3055, CVSS 9.3) affecting SAML Identity Provider configurations.
Citrix has released a critical security bulletin addressing two new vulnerabilities in its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products. The flaws, disclosed on March 23, 2026, include a critical out-of-bounds read and a high-severity race condition, both of which could allow attackers to compromise affected systems. While no in-the-wild exploitation has been reported, Citrix is urging customers to apply patches immediately.
The first vulnerability, tracked as CVE-2026-3055, is a critical out-of-bounds read with a CVSS v4.0 score of 9.3. Identified internally by Citrix's parent company, Cloud Software Group, the flaw stems from insufficient input validation, leading to memory overread. An unauthenticated remote attacker could exploit this to leak sensitive information from the appliance's memory. Critically, the vulnerability only affects NetScaler systems explicitly configured as a SAML Identity Provider (SAML IDP); default or standard configurations remain unaffected. Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and FIPS/NDcPP before 13.1-37.262. Only customer-managed instances are vulnerable; cloud instances managed by Citrix are not affected.
The second vulnerability, CVE-2026-4368, is a high-severity race condition with a CVSS v4.0 score of 7.7. It affects NetScaler ADC and Gateway version 14.1-66.54 when configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Exploitation could cause session mix-up, potentially allowing an attacker to hijack user sessions. Citrix advises customers to upgrade to version 14.1-66.59 to remediate this flaw.
Citrix has introduced a Global Deny List feature in NetScaler 14.1.60.52 and later, which allows administrators to apply instant-on patches without rebooting. Cloud Software Group has released Global Deny List signatures for mitigating CVE-2026-3055. However, the company emphasizes that fully patched builds are the recommended long-term solution, with the Global Deny List serving as a temporary measure for rapid protection until a scheduled maintenance window.
These vulnerabilities highlight the ongoing risks facing enterprise networking appliances, which are frequent targets for attackers due to their critical role in application delivery and remote access. Citrix NetScaler ADC and Gateway are widely deployed in enterprise environments, making timely patching essential. The absence of known exploitation or public proof-of-concept code provides a window for organizations to secure their systems before attackers develop exploits.
Organizations using NetScaler should immediately identify whether their appliances are configured as SAML IDP or Gateway/AAA virtual servers and apply the relevant patches. Citrix has provided specific configuration strings to check configurations: for SAML IDP, look for "add authentication samlIdPProfile .*", and for Gateway/AAA, look for "add authentication vserver .*" or "add vpn vserver .*". Upgrading to the latest builds—14.1-66.59 for version 14.1, and 13.1-62.23 for version 13.1—will address both vulnerabilities.