Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks Ravie LakshmananMar 24, 2026Vulnerability / Enterprise Security Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application. The vulnerabilities are listed below - CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user session mixup Cybersecurity company Rapid7 said that CVE-2026-3055 refers to an out-of-bounds read that could be exploited by unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory. However, for exploitation to be successful, the Citrix ADC or Citrix Gateway appliance must be configured as a SAML Identity Provider (SAML IDP), which means default configurations are unaffected. To determine if the device has been configured as a SAML IDP Profile, Citrix is urging customers to inspect their NetScaler Configuration for the specified string: "add authentication samlIdPProfile .*" CVE-2026-4368, on the other hand, requires the appliance to be configured as a gateway (i.e., SSL VPN, ICA Proxy, CVPN, and RDP Proxy) or an Authentication, Authorization, and Accounting (AAA) server. Customers can check the NetScaler Configuration to ascertain if their devices have been configured as either of the nodes - AAA virtual server - add authentication vserver .* Gateway - add vpn vserver .* The vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Users are advised to apply the latest updates as soon as possible for optimal protection. While there is no evidence that the shortcomings have been exploited in the wild, security flaws in NetScaler devices have been repeatedly exploited by threat actors (CVE-2023-4966, aka Citrix Bleed, CVE-2025-5777, aka Citrix Bleed 2, CVE-2025-6543, and CVE-2025-7775), making it imperative that users take steps to update their instances. "CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments. If it sounds familiar, it's because it is – this vulnerability sounds suspiciously similar to Citrix Bleed and Citrix Bleed 2, which continue to represent a trauma event for many," watchTowr CEO and founder Benjamin Harris told The Hacker News. "NetScalers are critical solutions that have been continuously targeted for initial access into enterprise environments. While the advisory just went live, defenders need to act quickly. Anyone running impacted versions needs to patch urgently. Imminent exploitation is highly likely." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Citrix, cybersecurity, Data Leakage, enterprise security, NetScaler, network security, Vulnerability Trending News Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Load More ▼ Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures Guide - Discover How to Validate AI Risks With Adversarial Testing