Critical Memory Leak and Session Hijacking Vulnerabilities Patched in Citrix NetScaler
Take action: If possible, make sure your NetScaler ADC and Gateway appliances are isolated from the internet and accessible from trusted networks only. Them plan a quick update. If you can't isolate from the internet, this is urgent. Update the firmware to the fixed versions (14.1-66.59, 13.1-62.23, or 13.1-37.262 for FIPS/NDcPP). Attackers have previously exploited similar flaws via the CitrixBleed exploit.
Learn More
Citrix released security updates for NetScaler ADC and NetScaler Gateway to address two security vulnerabilities, including one critical. The vulnerabilities allow unauthenticated attackers to access sensitive memory data or hijack active user sessions.
Vulnerabilities summary:
- CVE-2026-3055 (CVSS score 9.3) An out-of-bounds read vulnerability in the SAML Identity Provider (IDP) component that occurs due to insufficient input validation. By sending specially crafted requests, a remote attacker can trigger an overly long memory read access to exfiltrate sensitive data from the appliance's memory. This flaw is technically similar to the previous "CitrixBleed" exploit, potentially exposing session tokens or private keys to unauthenticated actors.
- CVE-2026-4368 (CVSS score 7.7) A race condition in the Gateway and AAA virtual server modules that leads to user session mixups. The flaw is triggered during concurrent session processing, causing the appliance to incorrectly swap session identifiers between different users. An attacker can use this mechanism to gain access to a legitimate user's authenticated session without providing credentials, resulting in full account takeover.
If an attacker exploits the memory overread, they can capture session cookies to bypass multi-factor authentication (MFA) in subsequent attacks. The session mixup vulnerability allows for lateral movement within the network by landing an attacker directly into a high-privilege user session. These risks are increased for organizations using Citrix as their primary remote access solution for employees and third-party vendors.
The vulnerabilities affect multiple versions of customer-managed NetScaler ADC and NetScaler Gateway.
- Version 14.1 prior to 14.1-66.59 and version 13.1 prior to 13.1-62.23 are vulnerable.
- FIPS-certified and NDcPP instances are also affected if they are running versions earlier than 13.1-37.262.
Citrix-managed cloud services and Adaptive Authentication have already been updated by the vendor and do not require customer action.
Administrators should immediately apply the latest firmware updates to all affected appliances to mitigate these risks. The fixed versions are 14.1-66.59, 13.1-62.23, and 13.1.37.262 for FIPS/NDcPP models.
