On March 23, 2026, Citrix released fixes for a critical vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE‑2026‑3055) that allows unauthenticated threat actors to perform out-of-bounds memory reads. Exploitation of this vulnerability requires that the affected appliance be configured as a SAML Identity Provider (IDP).
At the time of writing, Citrix has not reported any exploitation in the wild, and Arctic Wolf has not identified a publicly available proof-of-concept.
However, due to the low complexity and potential impact of this vulnerability, threat actors are likely to target it and attempt to reverse engineer the patches. Previous vulnerabilities involving memory reads in Citrix NetScaler ADC and Gateway, such as Citrix Bleed 1 (CVE‑2023‑4966) and Citrix Bleed 2 (CVE‑2025‑5777), were heavily targeted, highlighting the potential risk of CVE‑2026‑3055.
Recommendation for CVE‑2026‑3055
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Citrix NetScaler ADC and NetScaler Gateway | · 14.1 before 14.1-66.59
· 13.1 before 13.1-62.23 · FIPS and NDcPP before 13.1-37.262 |
· 14.1-66.59 and later releases
· 13.1-62.23 and later releases of 13.1 · 13.1-37.262 and later releases of 13.1-FIPS and 13.1-NDcPP |
- Citrix-managed cloud services and Adaptive Authentication are automatically updated with the required patches.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
