CVE-2026-4368

Citrix has released emergency patches for CVE-2026-3055 (CVSS 9.3) — a critical unauthenticated out-of-bounds memory read in NetScaler ADC and NetScaler Gateway affecting SAML IDP configurations — and CVE-2026-4368 (CVSS 7.7), a race condition causing session hijacking. Patch to 14.1-66.59 or 13.1-62.23 immediately. Exploitation described as imminent by watchTowr.

Severity

critical

CVSS Score

9.3 / 10

Published

Mar 25, 2026

Affected Products

›NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59
›NetScaler ADC and NetScaler Gateway 13.1 before 13.1-62.23
›NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262

Full Analysis

CVE-2026-3055: Citrix NetScaler Critical Flaw Leaks Sensitive Memory — Patch Immediately Before Exploitation Begins

Deep-dive: technical breakdown, real-world impact, complete remediation steps, and expert context.

Read the full report →

← All threat reports All articles