[Alert] Citrix NetScaler Critical Flaw: SAML Memory Leak Exposure

A critical vulnerability, tracked as CVE-2026-3055, has been disclosed in Citrix NetScaler ADC and NetScaler Gateway. With a CVSS score of 9.3, this out-of-bounds read flaw allows unauthenticated attackers to leak sensitive memory from appliances configured as SAML Identity Providers (IdP).

The Technical Breakdown

The vulnerability resides in the way NetScaler handles specific SAML responses. An attacker can craft a malicious SAML request that triggers an out-of-bounds read during the parsing of identity attributes. This results in the leakage of system memory, which may contain session cookies, private keys, and user credentials.

Security researchers warn that this exploitation pattern is reminiscent of the "CitrixBleed" attacks seen in previous years. The lack of authentication required for exploitation makes this a "priority one" patch for enterprise infrastructure teams.

Scope of Impact

NetScaler ADC and Gateway 14.1 before 14.1-12.35
NetScaler ADC and Gateway 13.1 before 13.1-51.15
NetScaler ADC and Gateway 13.0 (End of Life)

Remediation Steps

Citrix has released emergency firmware updates for all supported versions. Organizations using NetScaler as a SAML SP or SAML IdP must apply these patches immediately. If immediate patching is not possible, administrators should consider disabling SAML authentication where applicable or restricting access to the management interface.

Protect Your Data

Security vulnerabilities often stem from poorly handled sensitive data. Ensure your enterprise data is protected and anonymized before it reaches the cloud.

Secure Your Data with Data Masking Tool →

Why This Matters

As organizations move toward Zero Trust architectures, the Identity Provider becomes the ultimate target. A compromise at the NetScaler level can provide attackers with the keys to the entire corporate kingdom, allowing for lateral movement and long-term persistence within the network.