Critical NetScaler flaws can expose sensitive data and mix up user sessions, Citrix warns
4 min. read 
Published on
Cloud Software Group has warned customers to patch NetScaler ADC and NetScaler Gateway after disclosing two security flaws that can expose sensitive information or cause user session mix-ups on affected appliances. The more serious bug, CVE-2026-3055, carries a CVSS v4 base score of 9.3 and affects systems configured as a SAML Identity Provider.
The second issue, CVE-2026-4368, is a race condition that can lead to user session mix-up when the appliance runs as a Gateway or AAA virtual server. NVD lists the flaw as High severity with a CVSS v4 base score of 7.7.
Citrix says the problems affect only customer-managed NetScaler ADC and NetScaler Gateway deployments. Citrix-managed cloud services and Citrix-managed Adaptive Authentication are not affected because the vendor already applied infrastructure updates on its side.
What the two vulnerabilities do
CVE-2026-3055 stems from insufficient input validation in NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML IDP. In practical terms, an attacker may trigger a memory overread and leak sensitive information stored in appliance memory. The CNA entry on NVD describes it as a network-reachable issue with no user interaction required.
That matters because memory disclosures can expose high-value data such as tokens, credentials, or internal state information. Citrix and multiple security vendors frame this bug as an information disclosure issue, not a confirmed remote code execution flaw.
CVE-2026-4368 is different. NVD describes it as a race condition in NetScaler ADC and NetScaler Gateway that affects appliances configured as Gateway modes such as SSL VPN, ICA Proxy, CVPN, and RDP Proxy, or as AAA virtual servers, leading to user session mix-up.
Who is affected
Citrix’s bulletin says the affected supported versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. Multiple trusted advisories mirror those same fixed builds.
Exposure also depends on how the appliance is configured. CVE-2026-3055 applies only when NetScaler runs as a SAML Identity Provider, while CVE-2026-4368 applies when it operates as a Gateway or AAA virtual server. That means not every vulnerable build is automatically exploitable in every deployment.
Security teams can use configuration checks to confirm exposure. The sample you shared correctly notes that SAML IdP, AAA virtual server, and VPN virtual server entries help identify setups that may be at risk, which matches the configuration-based scope described in official and downstream advisories.
Key details at a glance
| Item | Verified detail |
|---|---|
| CVE-2026-3055 | Insufficient input validation leading to memory overread |
| CVSS for CVE-2026-3055 | 9.3 Critical |
| Trigger condition | Appliance configured as SAML IDP |
| CVE-2026-4368 | Race condition leading to user session mix-up |
| CVSS for CVE-2026-4368 | 7.7 High |
| Trigger condition | Appliance configured as Gateway or AAA virtual server |
| Affected products | Customer-managed NetScaler ADC and NetScaler Gateway |
| Fixed versions | 14.1-66.59, 13.1-62.23, 13.1-37.262 for FIPS and NDcPP |
What admins should do now
- Upgrade affected appliances to the latest fixed builds as soon as possible.
- Check whether NetScaler runs as a SAML IDP, Gateway, or AAA virtual server, because those modes determine exposure.
- Review logs and active sessions after patching, especially on internet-facing appliances that handle authentication or remote access traffic. This is a sensible defensive step based on the nature of the flaws.
- Use NetScaler Console’s advisory tools if available. Citrix has published guidance on identifying impacted instances for CVE-2026-3055.
Why this bulletin matters
Citrix appliances often sit at the edge of enterprise networks and handle authentication-heavy traffic. A memory disclosure bug on a SAML IdP system or a session mix-up issue on Gateway infrastructure can create serious exposure, even without remote code execution.
At the same time, admins should keep the risk in the right lane. The official descriptions focus on information leakage and session integrity issues. They do not say these bugs directly let attackers take over the appliance or “compromise the network” outright. That distinction matters when teams set patching priorities and communicate risk internally.
Several public advisories and security researchers also highlighted how configuration-specific these issues are. That makes fast validation just as important as patching, especially in large environments where NetScaler roles vary across appliances.
FAQ
It is a critical NetScaler vulnerability caused by insufficient input validation that can lead to memory overread when the appliance is configured as a SAML Identity Provider.
It is a race condition flaw that can cause user session mix-up when NetScaler runs as a Gateway or AAA virtual server.
Citrix says customer-managed appliances are affected. Citrix-managed cloud services and Citrix-managed Adaptive Authentication are not affected.
Trusted advisories point to fixed versions 14.1-66.59, 13.1-62.23, and 13.1-37.262 for FIPS and NDcPP editions.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages