Citrix NetScaler Memory Leak Exposes SAML SSO Secrets

Citrix released security updates on March 23 addressing two vulnerabilities in NetScaler ADC and NetScaler Gateway. The more severe, CVE-2026-3055, carries a CVSS 9.3 rating and enables unauthenticated attackers to leak potentially sensitive information directly from appliance memory.

The catch: exploitation requires the appliance to be configured as a SAML Identity Provider. That's not a niche configuration—it's exactly how many organizations implement single sign-on across their environments.

What the Vulnerability Exposes

CVE-2026-3055 stems from insufficient input validation leading to an out-of-bounds memory read (CWE-125). Attackers can trigger the condition remotely without authentication, potentially extracting:

• Session tokens and authentication data
• SAML assertions and cryptographic material
• Cached credentials traversing the appliance
• Internal configuration details

Memory disclosure vulnerabilities rarely get the attention of remote code execution flaws, but they can be equally damaging. Session tokens enable account takeover. Cryptographic material compromises the entire SSO trust chain.

Am I Affected?

Your NetScaler deployment is vulnerable if configured as a SAML IDP. To check, inspect your configuration for this string:

add authentication samlIdPProfile

If present, you need to patch. Default configurations without SAML IDP remain unaffected by CVE-2026-3055.

Citrix also patched a second vulnerability, CVE-2026-4368 (CVSS 7.7), involving a race condition that can cause user session mixups. This one affects appliances configured as Gateways (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers.

Affected and Fixed Versions

For CVE-2026-3055:

Product Line	Vulnerable	Fixed
NetScaler ADC/Gateway 14.1	Before 14.1-66.59	14.1-66.59+
NetScaler ADC/Gateway 13.1	Before 13.1-62.23	13.1-62.23+
NetScaler ADC FIPS/NDcPP	Before 13.1-37.262	13.1-37.262+

CVE-2026-4368 specifically affects version 14.1-66.54 and is addressed in the same updates.

No Known Exploitation—Yet

Citrix states no in-the-wild exploitation has been observed and no public proof-of-concept exists. The vulnerability was identified through internal security review. That window won't stay open long.

NetScaler appliances sit at network perimeters handling authentication for entire organizations. Threat actors prioritize these targets. The Citrix Bleed vulnerability from 2023 saw exploitation within days of disclosure. The March 2026 Fortinet patch cycle similarly attracted rapid attacker interest.

Recommended Actions

1. Identify SAML IDP configurations across your NetScaler fleet
2. Apply updates immediately for customer-managed deployments
3. Monitor authentication logs for anomalous SAML assertion patterns
4. Review session management to detect potential token reuse

Organizations using NetScaler for SSO should treat this as urgent. Memory disclosure affecting authentication infrastructure creates exposure well beyond the appliance itself—every system trusting those SAML assertions becomes indirectly vulnerable.

For additional context on protecting network edge infrastructure, CISA's binding operational directive on edge device management outlines systematic approaches to reducing exposure across perimeter appliances.