NetScaler: a flaw that exposes memory via SAML
On March 23, 2026, Citrix released patches for two vulnerabilities in NetScaler ADC and NetScaler Gateway, including CVE-2026-3055 with a CVSS score of 9.3. This flaw allows an unauthenticated attacker to read system memory, potentially exposing sensitive data.
Technical details
CVE: CVE-2026-3055 | CVSS: 9.3 | Type: out-of-bounds memory read | Cause: insufficient input validation in SAML processing | Condition: appliance must be configured as SAML Identity Provider (IDP)
What can leak
NetScaler memory may contain active session tokens, user credentials in transit, TLS encryption keys, and internal configuration data. Comparable to Heartbleed (2014) in mechanism.
Who is affected
You are vulnerable if you use NetScaler ADC or Gateway AND it is configured as a SAML Identity Provider. Load balancer or VPN-only configurations are likely not affected.
Remediation
- Apply the Citrix patch released March 23, 2026
- Check your SAML configuration: are you configured as SAML IDP?
- Force session rotation: invalidate all active session tokens after patching
- Monitor logs: look for abnormally large or malformed SAML requests
- Consider TLS certificate rotation if you suspect pre-patch exploitation
Recommended reading
These are affiliate links. If you make a purchase through these links, we may earn a commission at no extra cost to you.
- Destination CISSP: covers authentication protocol security and certificate management.
- NordVPN: additional encryption layer for remote access.
Sources
- CVE-2026-3055 - Arctic Wolf
- Citrix Security Advisory - Citrix
Advertisement