Citrix has patched two serious NetScaler flaws that deserve attention for different reasons. One, CVE-2026-3055, is the kind of bug defenders hate because it allows an unauthenticated remote attacker to read sensitive appliance memory. The other, CVE-2026-4368, is a race condition that can break user session boundaries and cause a session mix-up after authentication. Both affect NetScaler ADC and NetScaler Gateway, but only under specific configurations, which matters a lot for triage.
CVE-2026-3055: Memory Overread via SAML IdP Configuration
The first flaw is the headline issue. CVE-2026-3055 has a CVSS v4 score of 9.3 and is described as an out-of-bounds read that can lead to memory overread. Citrix says the vulnerable condition exists when NetScaler ADC or Gateway is configured as a SAML Identity Provider (IdP).
In plain English, that means an attacker may be able to send crafted requests to an internet-facing authentication appliance and receive back data that should never leave memory in the first place. That is why this bug matters even before anyone proves weaponized exploitation. Memory disclosure bugs are often more dangerous than they sound, because the real question is not just can memory be read, but what is in memory at the moment it is read.
Public reporting around this advisory has highlighted the possibility of exposing security-sensitive data such as session material or other secrets, although the exact contents recovered in any real attack would depend on runtime conditions and the target deployment. At the time the advisories were published, there was no public evidence of active exploitation, but multiple defenders warned that exploitation pressure is likely to rise quickly once researchers publish deeper technical analysis or a proof of concept.
CVE-2026-4368: Race Condition Leading to Session Mix-Up
The second flaw, CVE-2026-4368, is less flashy but still dangerous. It carries a CVSS v4 score of 7.7 and is a race condition that can lead to user session mix-up. The issue affects appliances configured as a Gateway such as SSL VPN, ICA Proxy, CVPN, or RDP Proxy, or as an AAA virtual server.
The key point is that this is not just a crash bug or a reliability problem. If exploited successfully, one user can end up associated with another user's session, which cuts directly into session integrity and access control. That makes CVE-2026-4368 especially important for organizations that treat the appliance as a trust boundary for remote access.
Session confusion bugs are ugly because they undermine an assumption most teams rarely question: once a user is authenticated, the session context stays bound to the right identity. When that assumption fails, it can create a path for unintended access without needing classic credential theft. In other words, this is not "just" a concurrency mistake. It is a direct threat to how the system keeps users separated from one another.
Who Is Actually Exposed
The exposure picture is narrower than many quick takes suggest, but it is still serious. According to the published advisories:
- CVE-2026-3055 applies to deployments configured as SAML IdP
- CVE-2026-4368 applies to devices operating as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
That means defenders should not waste time asking whether every NetScaler box is equally exposed. They should instead inventory how each appliance is configured, then prioritize the systems that match the vulnerable roles, especially those that are internet-facing.
Fixed Versions
Citrix-fixed versions are already available. Affected releases are:
- All versions prior to 14.1-66.59
- All versions prior to 13.1-62.23
- For NetScaler ADC only: all 13.1-FIPS and 13.1-NDcPP versions prior to 13.1-37.262
Citrix also notes that NetScaler 13.0 is end-of-life and no longer receives security updates, which is a hard reminder that unsupported edge infrastructure becomes a security problem long before the next emergency advisory lands.
Two Bugs, One Trust Problem
These two CVEs hit opposite sides of the same trust problem.
CVE-2026-3055 threatens the confidentiality of secrets held by the appliance. CVE-2026-4368 threatens the integrity of the user-to-session relationship the appliance is supposed to enforce. One leaks what the box knows. The other confuses who the box thinks you are.
If your NetScaler deployment handles identity, federation, VPN access, or AAA functions, that is enough reason to treat both as priority fixes.
What Defenders Should Do Now
There are a few practical steps that stand out from the guidance:
- Inventory NetScaler roles first, not just versions. If a device is configured as SAML IdP, treat CVE-2026-3055 as urgent. If it is configured as Gateway or AAA virtual server, treat CVE-2026-4368 as urgent too.
- Patch to a fixed build. Prioritize externally reachable systems that match the vulnerable configurations.
- Preserve evidence before patching if you may need to investigate later.
- After patching, terminate active and persistent sessions so potentially compromised session material cannot simply continue to live on. CERT-EU specifically recommends this step.
- Restrict access with network controls where possible. CERT-EU also recommends limiting access to Gateway and AAA virtual servers at the network layer as a defensive measure alongside patching.
- Review logs and appliance state for signs the device was probed before remediation.
Public advisories say there was no confirmed in-the-wild exploitation at publication time, but history shows that high-value authentication edge devices rarely stay untested for long once details begin circulating.