Citrix has released urgent security updates for NetScaler ADC and NetScaler Gateway after discovering two vulnerabilities that could expose sensitive session data and cause session mix-ups. The company is urging administrators to apply the fixes as soon as possible, citing the potential for exploitation that echoes earlier high-profile memory-leak bugs that were actively abused in the wild.
What happened
Earlier this month Citrix published advisories addressing CVE-2026-3055 and CVE-2026-4368. The more severe issue, CVE-2026-3055, is a memory overread caused by insufficient input validation in appliances configured as SAML identity providers (IDP). In practice, that weakness can allow remote attackers without prior privileges to read memory and potentially extract sensitive information such as session tokens. The second vulnerability, CVE-2026-4368, stems from a race condition in Gateway configurations (including SSL VPN, ICA Proxy, CVPN, RDP proxy, and AAA virtual servers) that could lead to user session mix-ups under low-complexity attack scenarios.
Why this matters
Both findings are especially concerning because they resemble the mechanics of previously exploited Citrix vulnerabilities—most notably the CitrixBleed family of flaws (CVE-2023-4966 and later variants) that were leveraged in real-world attacks. Security researchers warn that once patches are public, adversaries frequently attempt to reverse-engineer them to produce working exploits. Given the history of Citrix-related incidents and the fact that NetScaler installations are widely deployed and often internet-accessible, the risk of rapid weaponization is real.
Who is affected
The vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 13.1 and 14.1. Citrix has provided fixed firmware builds: 13.1-62.23 and 14.1-66.59 for the general releases, and 13.1-37.262 for the FIPS and NDcPP variants of 13.1. Internet scanning by security groups such as Shadowserver indicates there are over 30,000 NetScaler ADC instances and more than 2,300 Gateway instances visible online. Not all exposed systems will necessarily be running the vulnerable configurations, but the sheer numbers underscore the scale of potential exposure.
Technical snapshot
- CVE-2026-3055: Insufficient input validation in SAML IDP handling leads to an out-of-bounds memory read. Attackers able to trigger the condition could read portions of memory, which may include session tokens and other sensitive data.
- CVE-2026-4368: A race condition in Gateway processing can cause session mix-ups, allowing low-privileged actors to cause user session confusion or interference. The complexity required for exploitation is low, increasing the likelihood of feasible attacks.
What administrators should do now
- Inventory: Identify all NetScaler ADC and NetScaler Gateway instances in your environment, including cloud-deployed and on-prem appliances, and note their exact software builds.
- Prioritize: Treat systems configured as SAML identity providers or Gateway endpoints (SSL VPN, ICA Proxy, CVPN, RDP proxy, AAA vservers) as high priority for remediation.
- Patch: Apply the vendor-provided updates immediately—13.1-62.23, 14.1-66.59, or 13.1-37.262 for FIPS/NDcPP—after validating compatibility with your environment and backups.
- Mitigate: If immediate patching isn’t possible, consider temporary mitigations such as restricting administrative interfaces to trusted networks, adding WAF rules to block suspicious SAML-related requests, and enforcing strict access controls to management planes.
- Monitor: Increase logging and monitoring for unusual authentication flows, unexpected session token activity, or anomalous traffic patterns to Gateway services.
- Test: After patching, validate functionality thoroughly in a staging environment before rolling changes to production to avoid service disruptions.
Context and risk posture
Security vendors and incident responders have already warned customers to act quickly. Rapid7 pointed out that Citrix has previously seen memory-read vulnerabilities exploited in the wild and urged remediation ahead of any public exploit availability. Other researchers noted the similarity to CitrixBleed and CitrixBleed2, both of which were associated with active exploitation and serious impact to organizations. In 2025, CISA labeled CitrixBleed2 as actively exploited and required federal agencies to secure systems in an accelerated timeframe—an indicator of how seriously regulators treat these classes of flaws.
Final thoughts
This is a time-sensitive operational security issue. The combination of publicly documented patches, large numbers of internet-exposed appliances, and a proven history of exploit development against Citrix products means administrators should assume heightened risk until systems are patched. A focused, methodical response—inventory, prioritize, patch, mitigate, monitor—will reduce the window of exposure and help defend against opportunistic attackers who often follow patch disclosures with exploit attempts.
Licensed under CC BY-ND 4.0 International
Microsoft .NET Out-of-Bounds Read (CVE-2026-26127) Causes Remote Denial-of-Service Risk
Microsoft has issued an emergency security update to address a newly disclosed…
When Local Trust Breaks: The OpenClaw 0-Click Vulnerability and What Developers Must Do Now
The speed at which developer-facing AI agents have been adopted is staggering…
Urgent Patching Required: Multiple VMware Aria Vulnerabilities Enable Remote Code Execution and Privilege Escalation
VMware’s Aria Operations — a cornerstone for many organizations’ cloud and infrastructure…
Oracle Issues Urgent Security Update for Critical RCE in Identity Manager and Web Services Manager
Oracle has released an out-of-band security alert to address a critical remote…