CVE-2026-3055

Name of the Vulnerable Software and Affected Versions Citrix NetScaler ADC and NetScaler Gateway versions prior to 14.1-66.59 and 13.1-62.23

Description Citrix NetScaler ADC and NetScaler Gateway are affected by a critical memory overread vulnerability (CVE-2026-3055) that allows unauthenticated attackers to read sensitive memory. The vulnerability is triggered by sending crafted SAML requests to the /saml/login and /wsfed/passive endpoints, specifically when the appliance is configured as a SAML Identity Provider (IdP). The flaw allows attackers to leak HTTP headers, session IDs, and administrative tokens. Active exploitation has been observed, with attackers probing systems and attempting to extract sensitive information. The vulnerability is similar to previous CitrixBleed incidents. Attackers are actively fingerprinting systems using requests to /cgi/GetAuthMethods to identify vulnerable SAML IdP configurations. The leaked memory appears base64-encoded in NSC TASS cookie responses.

Recommendations Apply the latest updates available from Citrix to versions prior to 14.1-66.59 and 13.1-62.23. Monitor for requests to the /wsfed/passive?wctx and /saml/login endpoints. Monitor for large NSC TASS cookie values. Monitor for 302 redirects with abnormally long Set-Cookie headers. Monitor for Citrix-ns-orig-srcip headers in leaked memory. Restrict access to the vulnerable endpoints if possible.