CVE-2026-3055
Citrix NetScaler Out-of-Bounds Read Vulnerability - [Actively Exploited]
Description
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread
INFO
Published Date :
March 23, 2026, 9:17 p.m.
Last Modified :
March 31, 2026, 1:18 p.m.
Remotely Exploit :
Yes !
Source :
50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Citrix NetScaler ADC (formerly Citrix ADC), NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC FIPS and NDcPP contain an out-of-bounds reads vulnerability when configured as a SAML IDP leading to memory overread.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2026_3055_and_CVE_2026_4368 ; https://nvd.nist.gov/vuln/detail/CVE-2026-3055
Affected Products
The following products are affected by CVE-2026-3055
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5 | ||||
| CVSS 4.0 | CRITICAL | 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5 |
Solution
- Update NetScaler ADC and Gateway to the latest secure version.
- Configure SAML IDP settings carefully to avoid input validation issues.
Public PoC/Exploit Available at Github
CVE-2026-3055 has a 12 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-3055.
| URL | Resource |
|---|---|
| https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300 | Vendor Advisory |
| https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/ | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055 | US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-3055 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-3055
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Security Tracker
Python
Low-impact probe for Citrix NetScaler CVE-2026-3055 (SAML IdP memory overread)
Python
Herramienta de detección para CVE-2026-3055 que identifica NetScaler ADC y Gateway vulnerables a memory overread. Realiza escaneo individual, por red o lista de hosts, detecta memory leak en /wsfed/passive?wctx, extrae session IDs, verifica versiones y genera reportes JSON, HTML o CSV con hosts vulnerables.
Python
Exploit funcional para CVE-2026-3055 en Citrix NetScaler ADC y Gateway. Aprovecha memory overread en endpoint /wsfed/passive?wctx para filtrar memoria del sistema, extrayendo session IDs administrativas, cookies y datos sensibles que permiten hijacking de sesiones y compromiso total del appliance vulnerable.
Python
workflows n8n pour parler avec une ia sur les actualités cyber
CVE-2026-3055
None
Full-scope external security scanner for Citrix NetScaler ADC/Gateway - 25 CVEs, 10 fingerprint vectors, IoC detection
Python
For developers, researchers, students, and builders: a free, open-source security intelligence aggregator that tracks CVEs, threat intel, and breaking security news in real time, from 17 sources — NVD, CISA, Unit 42, SANS, Schneier, and more — into one encrypted local database you control. — privately, locally, on your machine.
cve cybersecurity cybersecurity-education cybersecurity-tools mitre-attack portfolio portfolio-project python security-intelligence sqlite threat-detection threat-intelligence vulnerability-detection vulnerability-management vulnerability-scanners security-tools
Python Shell
Utils for CISA KEV
Python
None
Python
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-3055 vulnerability anywhere in the article.
-
The Hacker News
Russian State-Linked APT28 Exploits SOHO Routers in Global DNS Hijacking Campaign
The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn the ... Read more
-
The Hacker News
Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access
A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracke ... Read more
-
The Hacker News
Over 1,000 Exposed ComfyUI Instances Targeted in Cryptomining Botnet Campaign
An active campaign has been observed targeting internet-exposed instances running ComfyUI, a popular stable diffusion platform, to enlist them into a cryptocurrency mining and proxy botnet. "A purpose ... Read more
-
The Hacker News
China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
A China-based threat actor known for deploying Medusa ransomware has been linked to the weaponization of a combination of zero-day and N-day vulnerabilities to orchestrate "high-velocity" attacks and ... Read more
-
The Hacker News
Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed
Threat actors are exploiting a maximum-severity security flaw in Flowise, an open-source artificial intelligence (AI) platform, according to new findings from VulnCheck. The vulnerability in question ... Read more
-
The Hacker News
Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS
Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: ... Read more
-
The Hacker News
China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has bee ... Read more
-
The Hacker News
Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Serv ... Read more
-
The Hacker News
Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise
Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass ... Read more
-
The Hacker News
ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reali ... Read more
-
The Hacker News
New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released
Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerab ... Read more
-
Daily CyberSecurity
The Unpatched Kyverno SSRF Flaw That Turns Policies Into Cluster-Wide Backdoors
A critical security boundary in Kubernetes environments has been compromised. A new vulnerability note from CERT/CC has detailed a Server-Side Request Forgery (SSRF) flaw in Kyverno, the popular open- ... Read more
-
The Hacker News
TrueConf Zero-Day Exploited in Attacks on Southeast Asian Government Networks
A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubb ... Read more
-
Daily CyberSecurity
Critical Vulnerability in Perl Core Modules Leaves Systems Exposed
A high-severity security flaw has been identified within the core of the Perl programming language. Designated as CVE-2026-4176, the vulnerability carries a CVSS score of 9.8, highlighting a critical ... Read more
-
security.nl
Amerikaanse overheid krijgt drie dagen voor installatie Citrix- en F5-updates
Federale Amerikaanse overheidsdiensten moeten beveiligingsupdates voor twee actief aangevallen kwetsbaarheden in producten van Citrix en F5 binnen drie dagen installeren. Het Amerikaanse cyberagentsch ... Read more
-
Daily CyberSecurity
Critical CrewAI Vulnerabilities Allow RCE and Sandbox Escapes via Prompt Injection
The rapidly growing field of multi-agent AI systems has hit a significant security speed bump. A new vulnerability note from CERT/CC has detailed four distinct security flaws within CrewAI, a popular ... Read more
-
CybersecurityNews
CISA Warns of Citrix NetScaler Vulnerability Actively Exploited in Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding a critical vulnerability affecting Citrix NetScaler products. Identified as CVE-2026-3055, this secur ... Read more
-
Daily CyberSecurity
Nginx UI Alert: Public PoC Exploit and Full Details Disclosed for Critical 9.8 CVSS Flaw with No Patch Available
The popular web-based management interface, Nginx UI, is under fire following the public disclosure of a critical security flaw. Identified as CVE-2026-33032, this vulnerability carries a CVSS score o ... Read more
-
The Cyber Express
Axios Supply Chain Attack Exposes Developers to Hidden Malware
The Axios supply chain attack that surfaced on March 31, 2026, has raised serious concerns across the JavaScript ecosystem, exposing how a compromised npm Account can be leveraged to distribute malwar ... Read more
-
Daily CyberSecurity
The Instant Weaponization of Oracle’s 10.0 CVSS “Zero-Day-Like” Flaw
The digital ink had barely dried on the disclosure of CVE-2026-21962 before threat actors began a relentless campaign to weaponize it. A recent high-interaction honeypot study conducted between Januar ... Read more
The following table lists the changes that have been made to the
CVE-2026-3055 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Mar. 31, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:* versions from (including) 13.1 up to (excluding) 13.1-62.23 *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:* versions from (including) 14.1 up to (excluding) 14.1-60.58 *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:* versions from (including) 13.1 up to (excluding) 13.1-37.262 *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:* versions from (including) 13.1 up to (excluding) 13.1-37.262 Added CPE Configuration OR *cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:* versions from (including) 13.1 up to (excluding) 13.1-62.23 *cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:* versions from (including) 14.1 up to (excluding) 14.1-60.58 Added Reference Type CISA-ADP: https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/ Types: Exploit, Third Party Advisory Added Reference Type NetScaler: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300 Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 30, 2026
Action Type Old Value New Value Added Reference https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/ Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055 -
New CVE Received by 50a63c94-1ea7-4568-8c11-eb79e7c5a2b5
Mar. 23, 2026
Action Type Old Value New Value Added Description Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-125 Added Reference https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300