ACCORDING to Infosecurity Magazine, Citrix has released a new critical security bulletin addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway.
The first, CVE-2026-3055, is a critical out-of-bounds read (CVSS v4.0 9.3) caused by insufficient input validation, potentially enabling an unauthenticated remote attacker to leak memory contents; it affects NetScaler ADC and Gateway versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and 13.1-FIPS/NDcPP before 13.1-37.262, but only for devices configured as a SAML IDP, with default configurations unaffected.
Citrix notes that only customer-managed instances are affected, not cloud-managed ones, and provides a method to identify SAML IDP configurations via the string “_add authentication samlIdPProfile *_.” Cloud Software Group has issued updated builds and Global Deny List signatures to mitigate CVE-2026-3055, with guidance that mitigations apply on 14.1-60.52 and 14.1-60.57 firmware builds.
A second flaw, CVE-2026-4368, is a high-severity race condition (CVSS v4.0 7.7) affecting 14.1-66.54 configurations when the appliance is set as Gateway or AAA Vserver, with a patch available in 14.1-66.59. There is no known in-the-wild exploitation or public PoC at the time of writing.