Citrix has released emergency patches for two vulnerabilities affecting NetScaler ADC and NetScaler Gateway, urging administrators to upgrade affected on-premises appliances immediately. The most serious flaw — CVE-2026-3055 — carries a CVSS v4.0 score of 9.3 and is structurally similar to the CitrixBleed and CitrixBleed2 vulnerabilities that were weaponised in zero-day attacks in previous years, raising concerns that attackers will rapidly reverse-engineer the patch to develop working exploits.
CVE-2026-3055: Critical Out-of-Bounds Memory Read (CVSS 9.3)
The primary vulnerability is an out-of-bounds read caused by insufficient input validation in NetScaler's SAML Identity Provider implementation. A successful exploit allows an unauthenticated remote attacker to read beyond the bounds of an allocated memory buffer, potentially leaking sensitive data held in appliance memory — including session tokens, authentication credentials, and configuration data.
Exploitation prerequisites:
The vulnerability is only exploitable on appliances configured as a SAML Identity Provider (SAML IDP). Default NetScaler configurations are not affected. Administrators can check whether their appliance is vulnerable by searching the running configuration for:
add authentication samlIdPProfile .*
If this string is present, the appliance is operating as a SAML IDP and must be patched on an emergency basis.
Historical parallel:
The structural similarity to CitrixBleed (CVE-2023-4966) and CitrixBleed2 (CVE-2025-5777) is significant. Both prior vulnerabilities allowed unauthenticated attackers to retrieve sensitive memory content — and both were exploited at mass scale, including in attacks attributed to nation-state actors and ransomware groups. Security researchers warn that with a patch now publicly available, threat actors may reverse-engineer the fix to identify the precise memory handling flaw and develop a proof-of-concept exploit within days.
CVE-2026-4368: Session Confusion Race Condition (CVSS 7.7)
The secondary vulnerability is a race condition in NetScaler's session handling logic that can cause session mix-ups between concurrent users on appliances configured as:
- Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy)
- AAA virtual servers
This vulnerability specifically affects NetScaler ADC and NetScaler Gateway version 14.1-66.54 with those configurations. Exploitation could allow one authenticated session to inadvertently receive another user's session data — a serious information disclosure risk in multi-tenant or multi-user gateway environments.
Affected Versions and Fixed Releases
| Product | Vulnerable Versions | Fixed Version |
|---|---|---|
| NetScaler ADC | 14.1 before 14.1-66.59 | 14.1-66.59 or later |
| NetScaler Gateway | 14.1 before 14.1-66.59 | 14.1-66.59 or later |
| NetScaler ADC | 13.1 before 13.1-62.23 | 13.1-62.23 or later |
| NetScaler Gateway | 13.1 before 13.1-62.23 | 13.1-62.23 or later |
| NetScaler ADC 13.1-FIPS | before 13.1-37.262 | 13.1-37.262 or later |
| NetScaler ADC 13.1-NDcPP | before 13.1-37.262 | 13.1-37.262 or later |
Citrix-managed cloud services and Adaptive Authentication instances have already been updated automatically and require no customer action.
Global Deny List Mitigation
For organisations unable to immediately reboot into a patched firmware version, Citrix has released Global Deny List signatures as a temporary mitigation for CVE-2026-3055. This feature allows an instant-on patch to be applied to a running NetScaler appliance without requiring a system reboot — enabling protection while a scheduled maintenance window is arranged for the full upgrade.
Important limitation: Global Deny List mitigation for CVE-2026-3055 is only applicable on firmware builds 14.1-60.52 and 14.1-60.57. Organisations running other builds must upgrade directly to the patched release.
Citrix emphasises that the Global Deny List is a temporary measure and urges all customers to upgrade to the fixed firmware as soon as possible.
Exploitation Status
As of the time of advisory publication, Citrix reports no known in-the-wild exploitation of either vulnerability and no public proof-of-concept code. However, security researchers and threat intelligence vendors are closely monitoring underground channels given the severity rating and structural similarity to previously exploited CitrixBleed flaws.
The window between patch release and the appearance of working exploits for critical Citrix vulnerabilities has historically been very short — in some cases under 72 hours. Security teams should treat this as a time-sensitive patching priority.
Recommended Actions
- Verify SAML IDP configuration — Run the configuration check immediately to determine if appliances are in scope for CVE-2026-3055
- Prioritise patching SAML-configured appliances — These are directly in the blast radius of the critical flaw and should be patched on an emergency basis
- Apply Global Deny List signatures — Use as a temporary bridge on supported firmware builds while arranging maintenance windows
- Upgrade all appliances — Even those not configured as SAML IDP should be upgraded to receive the CVE-2026-4368 fix
- Review authentication logs — Look for anomalous SAML authentication activity that could indicate pre-patch scanning or exploitation attempts
Qualys customers can detect vulnerable assets using QIDs 386883 (CVE-2026-3055) and 386882 (CVE-2026-4368).
The official Citrix security advisory is available as CTX696300 through the Citrix support portal.