THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Citrix NetScaler flaw, tracked as CVE-2026-3055, to its Known Exploited Vulnerabilities (KEV) catalog, with a CVSS score of 9.3. In March, Citrix issued security updates for two NetScaler vulnerabilities, including CVE-2026-3055, which allows unauthenticated attackers to leak memory from the appliance when configured as a SAML IDP.
The vulnerability is an out-of-bounds read caused by insufficient input validation and can be triggered only if Citrix ADC or Citrix Gateway are configured as a SAML IDP, according to the advisory published by Rapid7 researchers. The article notes that CVE-2026-3055 currently has no known in-the-wild exploits or public PoCs, and Citrix discovered it internally; however, exploitation is considered likely once exploit code is released, so organisations should patch promptly.
A second vulnerability fixed by Citrix is a race condition tracked as CVE-2026-4368, which causes session mix-ups and has a CVSS score of 7.7. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the identified flaws by the due date, and private organisations are advised to review the KEV Catalog and apply mitigations where appropriate. CISA has ordered federal agencies to fix the vulnerability by 2 April 2026.