Citrix NetScaler critical flaw could leak data, update now

Citrix warns of a critical NetScaler flaw (CVE-2026-3055) that could leak sensitive data; users are urged to apply security updates immediately.

Citrix issued security updates for two NetScaler vulnerabilities, including a critical memory overread, tracked as CVE-2026-3055 (CVSS score of 9.3), that allows unauthenticated attackers to leak sensitive data.

The flaw CVE-2026-3055 is an insufficient input validation leading to memory overread, it can be triggered only if Citrix ADC or Citrix Gateway are configured as a SAML IDP.

Customers can check if their NetScaler appliance is set up as a SAML IDP by looking for the configuration string:

add authentication samlIdPProfile .*

“This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory.” reads the advisory published by Rapid7 researchers. “The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on.”

At this time, CVE-2026-3055 has no known in-the-wild exploits or public proof-of-concept. Citrix discovered it internally, but once exploit code is released, attacks are likely. Customers should patch immediately, as similar memory-leak flaws like “CitrixBleed” (CVE-2023-4966) were widely exploited in 2023.

The second vulnerability fixed by the vendor is a race condition tracked as CVE-2026-4368 (CVSS score of 7.7) that causes session mix-ups.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix )