cbcvebase.
CVE-2026-3055
published 2026-03-23

CVE-2026-3055: Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-04-02
Exploited in the wild
EPSS
84.00%
99.7th percentile
Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

Affected

17 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-37.26213.1-37.262
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-62.2313.1-62.23
citrixnetscaler_application_delivery_controller>= 14.1 < 14.1-60.5814.1-60.58
citrixnetscaler_gateway
citrixnetscaler_gateway>= 13.1 < 13.1-62.2313.1-62.23
citrixnetscaler_gateway>= 14.1 < 14.1-60.5814.1-60.58
citrixxenserver
netscaleradc>= 13.1 < 62.2362.23
netscaleradc>= 13.1 FIPS and NDcPP < 37.26237.262
netscaleradc>= 14.1 < 66.5966.59
netscalergateway>= 13.1 < 62.2362.23
netscalergateway>= 14.1 < 66.5966.59

Detection & IOCsextracted from sources · hover to see the quote

url/cgi/GetAuthMethods
url/saml/login
url/wsfed/passive?wctx
cookieNSC_TASS
  • Monitor for HTTP requests to /cgi/GetAuthMethods on NetScaler ADC/Gateway — this endpoint is being probed by attackers to fingerprint SAML IDP configuration as a precursor to CVE-2026-3055 exploitation.
  • Detect exploitation attempts by monitoring POST requests to /saml/login that omit the AssertionConsumerServiceURL field in the SAMLRequest payload.
  • Alert on HTTP responses from NetScaler that set the NSC_TASS cookie with Base64-encoded content — this is the mechanism by which leaked memory is returned to the attacker.
  • Check Point IPS signature available for detection: 'Citrix NetScaler Out Of Bounds Read (CVE-2026-3055)'.
  • ·CVE-2026-3055 is only exploitable when the NetScaler ADC or NetScaler Gateway appliance is configured as a SAML Identity Provider (SAML IDP). Appliances not in this configuration are not affected.
  • ·The vulnerability actually covers two distinct memory overread bugs — one triggered via /saml/login (missing AssertionConsumerServiceURL) and one via /wsfed/passive?wctx (wctx parameter present but with no value and no '=' symbol).
  • ·Affected versions include NetScaler ADC and NetScaler Gateway before 14.1-60.58, 14.1 before 14.1-66.59, and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.