Security Advisory: CVE-2026-3055 Critical Vulnerability in Citrix NetScaler ADC and Gateway Appliances (SAML IdP) Vetted by CISA and CISecurity Advisory Sources.

Critical CVE-2026-3055 Vulnerability in Citrix NetScaler ADC and Gateway Appliances

In March 2026, Citrix revealed a critical security flaw, CVE-2026-3055, affecting NetScaler ADC and Gateway appliances when configured as SAML Identity Providers.

This out-of-bounds read vulnerability lets unauthenticated remote attackers access memory locations beyond intended limits.

Attackers exploiting this flaw can leak active session tokens that manage session state and identity verification, threatening the integrity of identity management by enabling session hijacking or unauthorized access.

Affected software versions are NetScaler 14.1 prior to 14.1-66.59, 13.1 before 13.1-62.23, and 13.1-FIPS/NDcPP before 13.1-37.262, triggered only under SAML IdP configuration, often identified by authentication samlIdPProfile entries.

Though no widespread exploitation has been reported, CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities Catalog, underscoring the need for immediate patching and mitigation.

• Out-of-bounds read vulnerability remotely exploitable without authentication in NetScaler ADC and Gateway configured as SAML IdP.
• Successful exploitation can leak session tokens and other sensitive memory, risking identity session hijacking.
• Affected versions include NetScaler ADC/Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and 13.1-FIPS/NDcPP before 13.1-37.262.
• No confirmed active exploitation at this time, but CISA lists CVE-2026-3055 as a known exploited vulnerability that demands urgent mitigation.

Impact Analysis and Mitigation Guidance

The impact revolves around unauthorized disclosure of sensitive information through memory over-read in NetScaler appliances configured as SAML Identity Providers.

Exposed session tokens allow attackers to hijack user sessions, circumvent authentication, and gain unauthorized resource access.

Citrix has issued patches addressing the vulnerability; installing these updates is essential to prevent potential exploitation.

Furthermore, CISA's Binding Operational Directive 22-01 stresses rapid patching or ceasing unpatched services, particularly relevant to cloud or hybrid environments operating NetScaler appliances.

• Remote, unauthenticated attackers can read out-of-bounds memory to access active SAML session tokens.
• Session token leakage exposes environments to unauthorized session hijacking and access control compromise.
• Citrix released patches that resolve the out-of-bounds reading flaw; applying these is critical.
• CISA advises organizations, especially cloud providers, to patch promptly or discontinue unpatched services in line with BOD 22-01 guidance.

Recommended Actions for Securing Citrix NetScaler

Start by auditing your NetScaler appliances to confirm if they are set as SAML Identity Providers, identifiable by samlIdPProfile entries in configuration.

Next, apply the latest Citrix patches that fix the vulnerability: 14.1-66.59 or later for 14.1, 13.1-62.23 or later for 13.1, and 13.1-37.262 or later for 13.1-FIPS/NDcPP.

Keep an eye on official Citrix and CISA advisories for any new developments or guidance changes.

Additionally, enforce best practices such as limiting access to NetScaler appliances, using network segmentation, and activating monitoring tools to quickly spot any abnormal behavior indicating exploitation.

• Verify if NetScaler appliances are configured as SAML Identity Providers by checking for authentication samlIdPProfile entries.
• Update NetScaler ADC and Gateway to patched versions 14.1-66.59 or newer, 13.1-62.23 or newer, and 13.1-FIPS/NDcPP 13.1-37.262 or newer.
• Continuously monitor official Citrix and CISA advisories for updates or new mitigation instructions.
• Limit administrative access, apply network segmentation, and enable monitoring to detect suspicious activities indicating exploitation attempts.

Sources

This post was generated from verified public reporting and primary source material. The links below are the core references used in the final review.

• Known Exploited Vulnerabilities Catalog | CISA from CISA. CISA official listing confirming CVE-2026-3055 as a known exploited vulnerability with mitigation guidance for Citrix NetScaler.
• Top 5 Cybersecurity News Stories March 27, 2026 - DIESEC from DIESEC. Independent security advisory detailing the nature of the vulnerability, exploitation risks, and session token theft specifics.