Citrix Releases Critical Security Updates for NetScaler ADC and NetScaler Gateway

Advisory addresses two vulnerabilities which if exploited could lead to User Session Mixup or memory overread

Threat ID:: CC-4759
Threat Severity:: High
Published:: 23 March 2026 12:22 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Advisory addresses two vulnerabilities which if exploited could lead to User Session Mixup or memory overread

Affected platforms

The following platforms are known to be affected:

NetScaler ADC

All prior to 14.1-66.59
All prior to 13.1-62.23
All prior to 13.1-37.262 FIPS and NDcPP

NetScaler Gateway

All prior to 14.1-66.59
All prior to 13.1-62.23

Threat details

Introduction

Citrix has released a critical security bulletin addressing two vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

CVE-2026-3055 - Out-of-Bounds Read vulnerability - CVSSv4 base score: 9.3
- Note: Citrix NetScaler ADC or Citrix Gateway must be configured as SAML IDP to be vulnerable to CVE-2026-3055.
CVE-2026-4368 - Race Condition vulnerability - CVSSv4 base score: 7.7
- Note: Affected appliances must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual server to be vulnerable CVE-2026-4368.

Exploitation of CVE-2026-3055 has been reported in the wild.

Exploitation of CVE-2026-3055 reported in the wild

Security researchers have reported exploitation of CVE-2026-3055 in technical reporting. Exploitation of this vulnerability could allow an unauthenticated, remote attacker to read sensitive memory from a NetScaler ADC or NetScaler Gateway, potentially exposing sensitive information such as login tokens. Attackers could use these tokens to hijack existing sessions, allowing access into the network, and bypassing authentication controls such as multi-factor authentication (MFA).

The NHS England National CSOC assess that it is highly likely that attackers will continue to attempt exploitation of this vulnerability and urge organisations to remediate as soon as possible. In addition, indications of a related vulnerability have been reported and continued monitoring of Citrix Security Bulletins is advised.

Threat updates

Date	Update
30 Mar 2026	Exploitation in the wild The following sections have been updated to reflect exploitation of CVE-2026-3055: Emphasis Box Introduction
24 Mar 2026	Escalated to High Severity The following sections have been updated: Emphasis box Remediation advice Remediation steps

Date

Update

30 Mar 2026

Exploitation in the wild

The following sections have been updated to reflect exploitation of CVE-2026-3055:

Emphasis Box
Introduction

24 Mar 2026

Escalated to High Severity

The following sections have been updated:

Emphasis box
Remediation advice
Remediation steps

Remediation advice

Affected organisations must review Citrix Security Bulletin CTX696300 and apply the relevant updates as soon as possible.

Remediation steps

Type	Step
Patch	Required: Update to a fixed version Fixed versions include: NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1 NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP Citrix Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Note: Citrix NetScaler 13.0 is end-of-life and no longer receives security updates. Organisations running end-of-life versions must upgrade to a supported version. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368

Type

Step

Patch

Required: Update to a fixed version

Fixed versions include:

NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP

Citrix Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.

Note: Citrix NetScaler 13.0 is end-of-life and no longer receives security updates. Organisations running end-of-life versions must upgrade to a supported version.

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368

Definitive source of threat updates

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368

CVE Vulnerabilities

Status Published

CVE-2026-3055

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread.

Status Published

CVE-2026-4368

Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server leading to User Session Mixup.

Last edited: 30 March 2026 3:20 pm