CITRIX has released patches for a critical vulnerability in NetScaler ADC and NetScaler Gateway, tracked as CVE-2026-3055 (CVSS 9.3), which is an out-of-bounds read flaw that can be exploited remotely to read sensitive information from memory in deployments configured as a SAML Identity Provider.
Fixes are included in NetScaler ADC and NetScaler Gateway versions 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262, and the updates also address CVE-2026-4368, a high-severity race condition that could cause user session mixups. Citrix notes that the vulnerability requires a SAML IDP configuration and advises customers to apply patches promptly, though the company states there is no mention of exploitation in the wild.
Security researchers quoted by SecurityWeek say CVE-2026-3055 should not be treated lightly, with watchTowr’s Benjamin Harris warning that exploitation could begin soon and that unauthenticated attackers might leak memory from vulnerable deployments; Rapid7 likewise believes attacks could start once exploitation code becomes public. NetScaler devices are described as critical for initial enterprise access, and defenders are urged to patch urgently.