Citrix NetScaler ADC and Gateway, unauthenticated out-of-bounds read in SAML IdP (memory overread)
Insufficient input validation in Citrix NetScaler ADC and NetScaler Gateway, when the appliance is configured as a SAML Identity Provider, leads to a memory overread. A remote, unauthenticated attacker can read sensitive information from the appliance's memory, including, under some conditions, active session material. Default configurations are not affected. CISA added the flaw to its Known Exploited Vulnerabilities catalog following large-scale exploitation.
Overview
CVE-2026-3055 is a critical out-of-bounds read in Citrix NetScaler ADC and NetScaler Gateway that occurs when the appliance is configured as a SAML Identity Provider (SAML IdP). Insufficient input validation lets a remote, unauthenticated attacker read memory beyond the intended bounds, leaking sensitive content from the appliance, including active session material under some conditions. Citrix published bulletin CTX696300 on 23 March 2026. NVD assigns a primary CVSS 3.1 base score of 9.8 (Citrix's own CVSS 4.0 score is 9.3). Default configurations are not affected; only appliances explicitly acting as a SAML IdP are exposed. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 30 March 2026.
Technical Details
The flaw is an out-of-bounds read (CWE-125) in the SAML IdP request-handling code. Because a length or boundary value derived from attacker-controlled input is not properly validated, the appliance reads past the end of a buffer and returns adjacent memory contents in its response. Repeated requests let an attacker harvest fragments of process memory, which can include session tokens and other secrets. The conceptual parallel to earlier NetScaler memory-disclosure bugs has made the vulnerability a high-value target, and exploitation requires no authentication.
Impact
- Unauthenticated disclosure of sensitive memory contents from the appliance
- Theft of active session tokens enabling session hijacking and authentication bypass
- Exposure of secrets that can seed deeper compromise of the appliance and protected applications
- High exploitation risk for any internet-facing NetScaler configured as a SAML IdP
Mitigation
- Upgrade NetScaler ADC and Gateway 14.1 to 14.1-66.59 or later.
- Upgrade NetScaler ADC and Gateway 13.1 to 13.1-62.23 or later.
- Upgrade NetScaler ADC 13.1-FIPS and 13.1-NDcPP to 13.1-37.262 or later.
- After upgrading, terminate all active ICA and PCoIP sessions to invalidate any tokens an attacker may have harvested before patching.
- If a SAML IdP role is not required, reconfigure the appliance so it is not acting as a SAML IdP to remove the affected attack surface.
Detection
- CISA added CVE-2026-3055 to the KEV catalog on 30 March 2026 with a near-immediate remediation due date.
- Confirm whether any virtual server is configured as a SAML IdP, as only that configuration is vulnerable.
- Security researchers at watchTowr Labs published a technical analysis on 29 March 2026 and a public exploit module was released, so treat exposed appliances as actively targeted.
- Monitor SAML IdP endpoints for high volumes of malformed requests and review session activity for tokens reused from unexpected locations.