Citrix NetScaler ADC and NetScaler Gateway owners should verify patch status for CVE-2026-3055 and CVE-2026-4368. Citrix published CTX696300 for two NetScaler issues affecting customer-managed ADC and Gateway appliances. The higher-risk issue, CVE-2026-3055, is a critical memory overread issue when NetScaler is configured as a SAML identity provider. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog with a required action due date of April 2, 2026.
This is a protect-only guide. Fix I.T. Phill is not publishing abuse-ready request details or testing steps. The useful defender work is to identify exposed NetScaler appliances, confirm whether SAML IdP, Gateway, or AAA features are in use, update to a fixed build, review authentication/session logs, and communicate clearly with customers whose VPN, RDP proxy, ICA proxy, or SAML workflows depend on the appliance.
Who Should Check
- Customer-managed NetScaler ADC and NetScaler Gateway appliances.
- Appliances configured as a SAML identity provider.
- Appliances configured for Gateway services such as SSL VPN, ICA Proxy, CVPN, or RDP Proxy.
- Appliances using AAA virtual servers.
- Hosting providers, MSPs, and IT teams using NetScaler in front of customer portals, remote desktop access, Citrix Virtual Apps and Desktops, or single sign-on workflows.
Affected Versions And Fixed Builds
| CVE | Risk | Affected condition | Affected versions | Fixed versions |
|---|---|---|---|---|
| CVE-2026-3055 | Critical memory overread | NetScaler ADC or Gateway configured as a SAML identity provider | 14.1 before 14.1-60.58; 13.1 before 13.1-62.23; 13.1 FIPS/NDcPP before 13.1-37.262 | 14.1-60.58; 14.1-66.59 or later; 13.1-62.23 or later; 13.1 FIPS/NDcPP 13.1-37.262 or later |
| CVE-2026-4368 | High session mixup | Gateway or AAA virtual server configuration | 14.1-66.54 only | 14.1-66.59 or later, or another vendor-supported fixed build |
Citrix states the bulletin applies to customer-managed NetScaler ADC and NetScaler Gateway appliances. Citrix-managed cloud services and Citrix-managed Adaptive Authentication are handled by Cloud Software Group.
Plain-English Impact
CVE-2026-3055 matters because SAML identity provider workflows sit on a sensitive authentication boundary. CISA’s KEV listing means defenders should treat affected internet-facing appliances as actively risky, not just theoretically vulnerable. If the appliance is exposed and still on an affected build, it should be considered overdue for remediation.
CVE-2026-4368 is narrower because Citrix says it only impacts NetScaler ADC and Gateway build 14.1-66.54, but the impact is still important for VPN, ICA Proxy, CVPN, RDP Proxy, and AAA workflows because the issue relates to session separation.
Safe Verification Checklist
Use normal appliance inventory and configuration review. Do not test against third-party appliances and do not copy public attack write-ups into scanners.
show ns version show ha node show authentication samlIdPProfile show authentication vserver show vpn vserver
- Confirm the appliance build and edition.
- Confirm whether SAML identity provider functionality is configured.
- Confirm whether Gateway or AAA virtual server functionality is configured.
- Identify whether any affected appliance is internet-facing or reachable from untrusted networks.
- Check high availability pairs and confirm both nodes are patched, not only the active node.
Patch And Maintenance Guidance
- Export and back up the current NetScaler configuration before changes.
- Confirm the target fixed build from Citrix for your appliance branch and edition.
- For HA pairs, patch the secondary node first, verify health, fail over in a planned window, then patch the remaining node.
- Test SAML login, VPN, ICA Proxy, CVPN, RDP Proxy, AAA, load-balanced applications, and monitoring after each node is updated.
- Save configuration after successful validation and confirm the running build on every appliance.
- Update monitoring, inventory, and customer records so the old build does not stay listed as current.
If You Cannot Patch Immediately
Updating to a fixed build is the correct remediation. If a maintenance window is required, reduce exposure until the patch is complete:
- Restrict management access to trusted administrator networks.
- Confirm whether SAML IdP, Gateway, and AAA functions are required on the exposed appliance.
- Move unnecessary authentication services away from public exposure where possible.
- Increase monitoring around authentication, session, VPN, and SAML activity.
- Schedule an emergency change window for any internet-facing affected appliance because the CISA KEV deadline has already passed.
What Logs And Signals To Review
- Authentication and AAA logs for unusual failures, unexpected successes, and unfamiliar administrator activity.
- Gateway, VPN, ICA Proxy, CVPN, and RDP Proxy session logs for unusual session behavior or account/IP mismatches.
- SAML identity provider logs and downstream identity provider or service provider logs for abnormal assertions or login timing.
- Management audit logs for configuration changes, new administrator accounts, new authentication policies, or changes around SAML, Gateway, or AAA services.
- Firewall, SIEM, CDN, and WAF logs for unusual access patterns toward the appliance and protected applications.
Customer Communication
For MSP and hosting customers, keep the message operational: a Citrix/NetScaler security bulletin affects certain ADC and Gateway configurations, the appliance build and feature use were checked, and the appliance has been updated or scheduled for emergency maintenance. If customer remote access or SSO is involved, give a clear maintenance window and expected impact.
If review finds suspicious authentication or session activity, tell the customer what accounts, time windows, and services are being reviewed. Do not send technical attack details.
CDN And Virtual Patching Note
CDN or WAF controls can help reduce exposure around management access and protected web applications, but they do not replace patching the NetScaler appliance. For Help4 CDN-managed environments, the useful action is to identify customers with exposed NetScaler ADC/Gateway services, confirm patch status, restrict administrative surfaces, and monitor authentication/session anomalies while the appliance is updated.
Bottom Line
If NetScaler ADC or NetScaler Gateway is customer-managed and exposed, check the build and feature configuration now. CVE-2026-3055 is critical and in CISA KEV, and CVE-2026-4368 affects a specific 14.1 build used for Gateway or AAA workflows. Patch to the fixed Citrix-supported build, verify both HA nodes, and review authentication and session logs.
