Citrix has issued an urgent security advisory warning organizations to patch a critical vulnerability affecting Citrix NetScaler ADC and Citrix NetScaler Gateway. The flaw could allow attackers to remotely access sensitive information stored in device memory without authentication.
The vulnerability, tracked as CVE-2026-3055, carries a high CVSS score of 9.3, making it one of the most serious security risks discovered in NetScaler devices recently. Security experts warn that organizations using affected versions should immediately apply the latest patches to prevent potential cyberattacks.
Citrix also addressed another security issue identified as CVE-2026-4368, which could lead to session mix-ups between users under certain configurations.
This latest advisory highlights the continued focus of threat actors on NetScaler infrastructure, which is widely used in enterprise environments for secure remote access, application delivery, and authentication services.
The most serious vulnerability, CVE-2026-3055, occurs due to insufficient input validation, which can lead to a memory overread condition. According to cybersecurity researchers at Rapid7, this flaw is essentially an out-of-bounds read vulnerability.
In simple terms, attackers can trick the device into revealing data from its memory that should normally remain protected. This leaked information could include:
- Authentication tokens
- Session data
- Credentials
- Configuration details
- Other sensitive system information
What makes the vulnerability particularly dangerous is that attackers do not need authentication to exploit it. This means that a remote attacker could potentially trigger the vulnerability over the network without logging into the system.
However, the exploit is only possible when the NetScaler device is configured as a SAML Identity Provider (SAML IdP). Because of this requirement, systems running default configurations may not be affected.
Citrix has advised administrators to review their NetScaler configuration to determine whether their device is configured as a SAML Identity Provider.
Security teams can verify this by checking for the following configuration string:
If this configuration exists, the system may be vulnerable to exploitation through CVE-2026-3055, and administrators should prioritize applying the patch immediately.
The second flaw addressed by Citrix, CVE-2026-4368, carries a CVSS score of 7.7 and is caused by a race condition.
Race conditions occur when two processes attempt to access the same resource simultaneously, leading to unexpected behavior. In this case, the issue could result in user session mix-ups, potentially allowing one user to access another user’s session.
This vulnerability can only be exploited when NetScaler appliances are configured as:
- SSL VPN gateways
- ICA Proxy services
- CVPN gateways
- RDP Proxy servers
- Authentication, Authorization, and Accounting (AAA) servers
Administrators can verify whether these configurations exist by checking for the following entries in the NetScaler configuration:
AAA Server Configuration
Gateway Configuration
If these configurations are present, the system may be exposed to risks associated with CVE-2026-4368.
The vulnerabilities impact several versions of NetScaler products. Systems running the following versions are considered vulnerable:
- NetScaler ADC and Gateway 14.1 versions before 14.1-66.59
- NetScaler ADC and Gateway 13.1 versions before 13.1-62.23
- NetScaler ADC 13.1-FIPS before 13.1-37.262
- NetScaler ADC 13.1-NDcPP before 13.1-37.262
Citrix strongly recommends that organizations upgrade to the latest patched versions immediately to ensure optimal protection.
Although there is currently no confirmed evidence of active exploitation, security experts believe attackers may soon attempt to exploit the vulnerability.
NetScaler appliances have historically been a popular entry point for cybercriminals attempting to infiltrate corporate networks. Several previous vulnerabilities in NetScaler systems have been actively exploited in large-scale attacks, including:
- CVE-2023-4966 (Citrix Bleed)
- CVE-2025-5777 (Citrix Bleed 2)
- CVE-2025-6543
- CVE-2025-7775
These incidents allowed attackers to steal session tokens, bypass authentication, and gain unauthorized access to enterprise networks.
Because NetScaler systems often sit at the network perimeter, they are considered high-value targets for threat actors seeking initial access into corporate environments.
Security researchers warn that the newly discovered vulnerability closely resembles earlier “Citrix Bleed” flaws that caused significant security incidents worldwide.
According to Benjamin Harris, CEO and founder of watchTowr, the new vulnerability should be taken very seriously.
He noted that the flaw allows attackers to read sensitive memory from NetScaler devices without authentication, which is similar to how earlier Citrix Bleed vulnerabilities were exploited.
Security experts believe that imminent exploitation is highly likely, especially because attackers actively monitor newly published security advisories for opportunities to compromise enterprise infrastructure.
NetScaler devices are widely deployed across enterprises to manage secure access to internal applications. Because of their critical role, any vulnerability affecting them can potentially expose an entire organization to cyberattacks.
To reduce risk, security teams should take the following steps immediately:
- Apply the latest Citrix security updates
- Review NetScaler configurations for SAML IdP settings
- Monitor logs for unusual activity
- Implement strong network monitoring and intrusion detection
Prompt patching is the most effective defense against attackers attempting to exploit newly discovered vulnerabilities.
The discovery of CVE-2026-3055 and CVE-2026-4368 once again highlights the importance of timely patch management in enterprise cybersecurity. With NetScaler appliances frequently targeted by threat actors, organizations must act quickly to update vulnerable systems and strengthen their security posture before attackers exploit these weaknesses.
Interesting Article : Oracle Warns of Critical CVE-2026-21992 RCE in Identity Manager