CITRIX has released fixes for two NetScaler vulnerabilities that security teams should review promptly: CVE-2026-3055, described as a critical memory overread, and CVE-2026-4368, a race condition that can cause user session mix-ups, with both affecting NetScaler ADC and NetScaler Gateway at the network edge.
According to current public reporting on the Citrix bulletin, CVE-2026-3055 is an out-of-bounds memory disclosure that can occur when the appliance is configured as a SAML Identity Provider (IdP), while CVE-2026-4368 affects systems configured as Gateway or AAA virtual servers. The article lists affected versions, including 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23 for CVE-2026-3055, and 14.1-66.54 for CVE-2026-4368.
As of 24 March 2026 there is no public confirmation of exploitation in the wild or PoC, though defenders are advised to treat these disclosures seriously and prioritise patching. Defenders should verify whether appliances are internet-facing, check whether vulnerable features are enabled, and follow vendor guidance to upgrade, as described in the Citrix bulletin.