Critical Memory Overread in Citrix NetScaler (CVE‑2026‑3055) Risks Data Leakage for SAML IdP Deployments
What It Is – Citrix disclosed a critical memory‑overread vulnerability (CVE‑2026‑3055) in its NetScaler ADC/Gateway products. The flaw stems from insufficient input validation and can be triggered when the appliance is configured as a SAML Identity Provider (IdP). An unauthenticated remote attacker can read arbitrary memory, potentially exposing authentication tokens, configuration data, and other sensitive information.
Exploitability – The vulnerability carries a CVSS 9.3 (Critical). No public proof‑of‑concept or in‑the‑wild exploits have been observed yet, but the high severity and ease of remote exploitation make it a prime target once exploit code surfaces.
Affected Products – Citrix ADC (formerly NetScaler) and Citrix Gateway appliances operating as SAML IdPs. Default (non‑IdP) configurations are not vulnerable.
TPRM Impact –
- Organizations that rely on Citrix NetScaler for SSO expose internal credentials and session data to third‑party risk.
- Down‑stream vendors and partners consuming the compromised IdP may inherit leaked authentication material, amplifying supply‑chain exposure.
Recommended Actions –
- Inventory all Citrix NetScaler/Gateway devices and identify any configured as SAML IdPs (
add authentication samlIdPProfile …). - Deploy the Citrix security update for CVE‑2026‑3055 (and CVE‑2026‑4368) without delay.
- Verify that default configurations are not unintentionally exposing SAML IdP functionality.
- Implement network monitoring for anomalous data exfiltration from the appliance.
- Review and harden SAML IdP settings, limiting exposure to only required service providers.
Source: Security Affairs – Citrix NetScaler critical flaw could leak data, update now