NetScaler patches fix critical SAML and Gateway flaws that could enable remote attacks

Cloud Software Group has released security updates for NetScaler ADC and NetScaler Gateway to fix two newly disclosed vulnerabilities, including one critical bug that can affect appliances configured as a SAML Identity Provider. The more severe issue, CVE-2026-3055, carries a CVSS v4 base score of 9.3, while CVE-2026-4368 is rated 7.7 and affects certain Gateway and AAA setups.

The company says customer-managed deployments should upgrade as soon as possible. NetScaler Console service now supports identification and remediation for both flaws, and NHS England’s cyber alert repeats the same recommendation to review the Citrix bulletin and apply the relevant updates quickly.

What CVE-2026-3055 does

CVE-2026-3055 is an out-of-bounds read caused by insufficient input validation. Cloud Software Group’s bulletin says the flaw affects NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML IdP. The vendor also says it identified this issue internally through ongoing security reviews, which is notable because the advisory does not say the bug was discovered through public incident response or confirmed in-the-wild exploitation.

That configuration requirement matters. An exposed NetScaler appliance is not automatically vulnerable to CVE-2026-3055 unless SAML IdP is enabled. Administrators can check their configuration for SAML IdP profiles to determine whether that condition applies.

What CVE-2026-4368 does

The second flaw, CVE-2026-4368, is a race condition that can lead to user session mixup. According to the vendor’s bulletin and NHS England’s alert, this issue affects appliances configured as a Gateway, including SSL VPN, ICA Proxy, CVPN, and RDP Proxy, or as an AAA virtual server.

Even though CVE-2026-4368 is not rated critical, it still creates real risk for perimeter infrastructure because session mixup can expose user-session confidentiality and integrity in login and remote-access scenarios. That makes it especially relevant for organizations that use NetScaler at the edge for VPN and application access.

Affected versions and fixed builds

Cloud Software Group says the affected and fixed versions are as follows:

The advisory applies to customer-managed deployments. Citrix-managed cloud services and Adaptive Authentication were already updated by the vendor, so customers using those managed offerings do not need to patch them separately.

Why admins should move quickly

NetScaler products often sit at the front door of enterprise environments, which makes even configuration-specific flaws important. CVE-2026-3055 matters most for organizations running SAML IdP on vulnerable builds, while CVE-2026-4368 matters for organizations using NetScaler as a Gateway or AAA virtual server. In both cases, the affected systems usually handle authentication and session traffic, so delay increases the exposure of high-value infrastructure.

NetScaler Console service already supports identifying and remediating both issues, although Cloud Software Group notes that EOL builds are not supported by the advisory tooling. That means organizations still running older unsupported versions may need a broader upgrade path instead of a simple targeted patch.

What defenders should do now

• Upgrade vulnerable customer-managed NetScaler ADC and NetScaler Gateway systems to the fixed builds.
• Check whether affected appliances are configured as a SAML IdP, since that is the precondition for CVE-2026-3055.
• Check whether affected appliances are configured as Gateway or AAA virtual server instances, since that is the precondition for CVE-2026-4368.
• Use NetScaler Console’s Security Advisory tooling to identify vulnerable managed instances and plan remediation.
• Prioritize any exposed perimeter systems first, especially those tied to VPN, SAML, and remote access workflows.

FAQ