THE U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue after confirming that the flaw is being used in attacks. The move obliges Federal Civilian Executive Branch agencies to patch the issue by the specified deadline.
The vulnerability scores 9.3 on the CVSS scale and is described as an out-of-bounds read that can be triggered only when NetScaler ADC or NetScaler Gateway is configured as a SAML identity provider. It arises from insufficient input validation during SAML request processing.
Citrix patched the issue in March for releases prior to 14.1‑66.59, 13.1‑62.23 and the FIPS/NDcPP builds before 13.1‑37.262; a second flaw, CVE-2026-4368, was fixed at the same time but has not been added to the KEV list. See the Citrix security bulletin for details.
Researchers have observed active exploitation in the wild, with honeypot sensors recording attempts to trigger the memory overread and extract sensitive data such as session tokens. To date, no specific threat actor has been publicly linked to these incidents.
Administrators should first confirm whether their appliances are set up as a SAML IDP; if they are, applying the latest Citrix updates is the primary mitigation step. In parallel, reviewing access controls and enabling detailed logging helps detect any abnormal behaviour early.
Where immediate patching is not possible, limiting administrative access to the management interface and monitoring logs for abnormal read operations can reduce risk; CISA urges all organisations to treat the vulnerability as a priority under Binding Operational Directive 22-01. Regularly consulting the KEV catalogue and vendor advisories ensures that emerging threats are addressed promptly.