ATTACKERS are actively probing a critical Citrix NetScaler flaw, CVE-2026-3055, which can leak potentially sensitive data through a memory overread when NetScaler ADC or Gateway are configured as a SAML IDP, with a CVSS of 9.3. According to Rapid7 researchers, the advisory notes that systems set up as a SAML Identity Provider are vulnerable while default configurations are not, and Citrix urges immediate patching as similar memory-leak flaws were widely exploited in 2023.
The flaw stems from insufficient input validation and can be triggered without authentication to exfiltrate data from the appliance’s memory, and there are no known in-the-wild exploits at present. Observations from Defused Cyber and watchTowr Intel indicate active reconnaissance and probing activity, with researchers warning that in-the-wild exploitation could begin soon once exploit code circulates.
Citrix has released security updates and notes the vulnerability is likely to affect organisations using affected NetScaler versions in certain configurations. March 29, 2026.