We use cookies to improve your experience on our site and enable certain core website functionalities. For more information, visit our Privacy Policy page.

Accept
  • Insights

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368

Gedeon Richemond

2 min read

All Insights

NetScaler ADC and NetScaler Gateway Security Bulletin for  CVE-2026-3055 and CVE-2026-4368

Opt-in for expert insights & industry event invites  

 
Description of Problem
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
 
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 
CVE-2026-3055:
  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
  • NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
CVE-2026-4368:
  • NetScaler ADC and NetScaler Gateway  14.1-66.54
Summary
CVE-ID Description Pre-conditionsCWECVSSv4
CVE-2026-3055Insufficient input validation leading to memory overreadCitrix ADC or Citrix Gateway must be configured as a SAML IDPCWE-125: Out-of-bounds ReadCVSS v4.0 Base Score: 9.3(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
CVE-2026-4368Race Condition leading to User Session MixupAppliance must be configured as:Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) ORAAA virtual serverCWE-362: Race ConditionCVSS v4.0 Base Score: 7.7(CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/

What Customers Should Do

CVE 2026-3055 was identified internally through our ongoing security reviews and broader efforts to strengthen the security of the product. 

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

  • NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP

Note: Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

CVE-2026-3055 : 

Customers can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string:

  • add authentication samlIdPProfile .*

CVE-2026-4368

Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings

  • An Auth Server (AAA Vserver):
    • add authentication vserver .*
  • A Gateway (VPN Vserver,  ICA Proxy, CVPN, RDP Proxy) :
    • add vpn vserver .*
More Information

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368