Prepared by: Brandon Sawyer, Vulnerability Analyst | Published: Tue 24 March 2026
Purpose
On 23 March 2026, Citrix released security updates addressing multiple vulnerabilities affecting NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. CVE-2026-3055 (CVSS v4.0: 9.3 – Critical) is an out-of-bounds memory read vulnerability that could allow an unauthenticated attacker to access sensitive information. CVE-2026-4368 (CVSS v4.0: 7.7 – High) is a race condition vulnerability that may enable unintended behavior or potential exploitation under specific conditions.
Currently Citrix reports there is no active exploitation in the wild however, due to the low complexity and potential impact of these vulnerabilities, threat actors are likely to target them. Previous examples involving memory reads of Citrix NetScaler ADC and Gateway include Citrix Bleed 1 (CVE-2023-4966) and Citrix Bleed 2 (CVE-2025-5777) which were heavily targeted. Therefore, urgency in upgrading to the latest fixed versions should be made a priority.
Vulnerability details
CVE-2026-3055 is an out-of-bounds memory read vulnerability that could allow an unauthenticated threat actor access to sensitive information. Citrix have reported that exploitation requires that Citrix ADC or Citrix Gateway must be configured as a SAML Identity Provider (IDP). Per the advisory, customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string "add authentication samlIdPProfile"
CVE-2026-4368 is a race condition vulnerability that may enable unintended behavior or potential exploitation under specific conditions. Citrix security advisory states that the appliance must be configured as Gateway (SSL, VPN, CA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Citrix also note that this bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Impact
If exploited, CVE-2026-3055 may result in the disclosure of sensitive information such as session tokens, authentication data, or other confidential system details. Exposure of this information can then be used to leverage attacks such as session hijacking and other unauthorised access to internal resources. CVE-2026-4368 could lead to unintended system behaviour, potentially allowing attackers to bypass security controls or, in certain circumstances, achieve limited privilege escalation.
Mitigation actions
Customers with affected versions of NetScaler ADC and NetScaler Gateway are recommended to immediately upgrade to the below fixed versions:
| Product |
Affected Version |
Fixed Version |
Citrix NetScaler ADC and NetScaler Gateway
|
|
- 14.1-66.59 and later releases
|
|
- 13.1-62.23 and later releases of 13.1
|
- FIPS and NDcPP before 13.1-37.262
|
- 13.1-37.262 and later releases of 13.1-FIPS and 13.1-NDcPP
|
Detection capabilities
At the time of writing, publicly confirmed detection coverage for CVE-2026-3055 and CVE-2026-4368 is limited. It is expected that vulnerability management vendors will release detection signatures in line with standard update cycles. Organisations should monitor vendor advisories and ensure their scanning plugins are kept up to date.
MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of CVE-2026-3055 and CVE-2026-4368 and related Citrix vulnerabilities across supported log sources.
Vulnerability Management customers: Environments will be assessed for vulnerable Citrix NetScaler ADC and Gateway versions; any exposure will be communicated through priority channels.
References
