Critical NetScaler Flaw Poses Imminent Exploit Risk (CVE-2026-3055)

Organizations using Citrix NetScaler must prioritize applying the latest security patches immediately. Two newly disclosed vulnerabilities, CVE-2026-3055 and CVE-2026-4368, present a significant risk, with the former posing a particularly severe threat. The more critical flaw, CVE-2026-3055, stems from insufficient input validation and could allow attackers to perform a memory overread to extract active user session tokens from affected devices. While the vendor states no active exploits are currently known, the potential for compromise is high given the nature of the systems involved.

The vulnerabilities impact specific versions of NetScaler ADC and NetScaler Gateway. NetScaler ADC functions as an application delivery controller for optimizing app performance and security, while NetScaler Gateway provides secure remote access to corporate resources. The critical session token flaw, CVE-2026-3055, affects systems configured as a SAML Identity Provider (SAML IDP), a common setup for organizations using single sign-on. The secondary issue, CVE-2026-4368, is a race condition that could cause a user session mixup, potentially exposing one user’s session to another. This flaw is only exploitable on appliances configured as a Gateway or AAA virtual server.

Affected software includes NetScaler ADC and Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before version 13.1-37.262. Cloud Software Group, Citrix’s parent company, has already updated its Citrix-managed cloud services and Adaptive Authentication. Senior VP of Engineering Anil Shetty confirmed the company is not aware of any unmitigated exploits in the wild for either vulnerability. However, the company strongly urges customers to upgrade to a fixed version without delay due to the low-complexity attack vector and the historical targeting of these solutions by threat actors.

Security researchers from Rapid7 and Arctic Wolf note there is no public proof-of-concept (PoC) exploit available and no detected in-the-wild exploitation at this time. The concern, however, is that this window may close quickly. With patches now released, attackers often reverse engineer the fixes to develop working exploits. Analysts warn that the technical similarity between CVE-2026-3055 and the previously exploited CitrixBleed2 flaw (CVE-2025-5777) could motivate attackers to accelerate their efforts. Citrix identified CVE-2026-3055 internally during a routine security review.

Beyond applying the mandatory software updates, security teams should implement additional defensive measures. A key recommendation is to restrict access to vulnerable appliances using network-level controls, such as firewalls, to reduce the attack surface. Proactive patching remains the most critical action, as these vulnerabilities in widely deployed enterprise infrastructure represent a clear and present danger that malicious actors are likely to attempt to weaponize in the near future.