A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway is drawing urgent warnings from the security community, with experts cautioning that exploitation could be imminent and that the ghost of CitrixBleed looms large over the disclosure.
Tracked as CVE-2026-3055 with a CVSS score of 9.3, the flaw is an out-of-bounds read issue affecting NetScaler deployments configured as a SAML Identity Provider (SAML IDP), allowing remote, unauthenticated attackers to read sensitive memory. Citrix has warned that the vulnerability could enable remote attackers to steal sensitive information, such as session tokens, and has strongly urged affected customers to install updated versions as soon as possible.
Fixes have been issued in NetScaler ADC and NetScaler Gateway versions 14.1-66.59, 13.1-62.23, and 13.1-NDcPP 13.1.37.262. A second flaw was also addressed: CVE-2026-4368, a race condition that can lead to user session mix-up, affecting appliances configured as a Gateway or AAA virtual server.
A Familiar Pattern
The security community has been quick to draw parallels with previous Citrix memory-read incidents. Cybersecurity firm watchTowr noted that many will recognise this as sounding similar to the widely exploited CitrixBleed vulnerability from 2023 and the subsequent CitrixBleed2 variant disclosed in 2025, both of which were actively leveraged in real-world attacks.
The similarity between CVE-2026-3055 and CitrixBleed2 (CVE-2025-5777) may spur attackers to move sooner rather than later. While Rapid7 notes that there is currently no known in-the-wild exploitation and no public proof of concept, the firm believes attacks could begin as soon as exploit code becomes available.
Daniel Bechenea, Security Manager at Pentest-Tools.com, told IT Security Guru that the pattern is recognisable. “Citrix memory-read issues have a way of repeating. Infosec practitioners still remember what it looked like in practice in late 2023: once the technical details are out, edge appliances become high-priority targets because they sit in front of critical apps, handling authentication and session state. When vulnerabilities show up in that part of the stack, the risk isn’t theoretical for long.”
Scope and Discovery
Citrix says the vulnerability was discovered through its own ongoing security reviews, and makes no mention of either flaw being exploited in the wild. However, the scope of exposure may be wider than the configuration requirement suggests. The SAML IDP configuration required for exploitation is considered likely to be very common among organisations that use single sign-on.
Bechenea highlighted the offensive security nuance teams need to internalise quickly: “CVE-2026-3055 affects NetScaler deployments configured as a SAML Identity Provider, so it’s not every NetScaler. But for teams that do run SAML IdP, the question to answer quickly is: have we applied Citrix’s fix everywhere this configuration exists? If that turns into a multi-day discovery exercise, you’ve already lost the most valuable window.”
Organisations can check exposure by searching their NetScaler configuration for the string: add authentication samlIdPProfile.
Beyond the Patch
Security professionals are stressing that patching alone is insufficient given the nature of the vulnerability class. Bechenea outlined a more comprehensive response posture: “Remediation needs to go beyond ‘apply the patch.’ Patch quickly, but assume sessions may already be at risk due to a memory-leak class issue. Terminate active and persistent sessions after updating, review SAML IdP access paths, and validate closure from an external vantage point.”
He also flagged a broader cultural risk that could leave organisations exposed long after the fix is applied: “Don’t let vendor brand trust become a control. ‘It’s a major appliance, it must be fine’ is how edge systems become assumed-safe and under-tested.”
What To Do Now
Organisations running affected on-premises NetScaler deployments should:
- Immediately patch to the fixed versions (14.1-66.59, 13.1-62.23, or 13.1-NDcPP 13.1.37.262)
- Confirm whether any appliances are configured as SAML IdP using the Citrix-specified configuration string
- Terminate all active and persistent sessions post-patching
- Review SAML IdP access paths for signs of anomalous activity
- Validate remediation from an external vantage point, not just internal tooling
Citrix-managed cloud services and Adaptive Authentication have already been updated by Cloud Software Group. On-premises customers bear responsibility for applying the fixes themselves.
