CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue. The entry covers Citrix NetScaler ADC, NetScaler Gateway, and NetScaler ADC FIPS and NDcPP appliances. Citrix NetScaler Out-of-Bounds Read Vulnerability permits memory overread when the device operates as a SAML identity provider.
The vulnerability is an out-of-bounds read weakness affecting SAML IDP configurations. Exploitation enables memory overread, potentially disclosing sensitive authentication data or session tokens. NVD rates this flaw 9.3 on the CVSS scale, marking it CRITICAL. Citrix has published a security bulletin with mitigation steps; however, comprehensive patch availability remains unspecified in current disclosures.
Active exploitation of this vulnerability is confirmed in the wild. CISA has not attributed the flaw to specific ransomware campaigns at this time. Federal agencies face a remediation deadline of 2026-04-02.
CISA requires Federal Civilian Executive Branch agencies to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. All organisations running affected NetScaler appliances should audit their SAML configurations and apply appropriate controls.
Full technical details are available via the NVD entry for CVE-2026-3055 and the CISA KEV catalogue.