9:00am, 26 March 2026
TLP Rating:
Two vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway
There are reports of two new vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway.
The first of these vulnerabilities, tracked as CVE-2026-3055, is a critical flaw caused by insufficient input validation leading to memory overread.
The second vulnerability, tracked as CVE-2026-4368, is a high severity flaw caused by a race condition leading to a user session mix-up.
The NCSC encourages organisations in New Zealand that use affected versions of these products to review the vendor advisory and apply the remediations as soon as possible.
What's happening
Systems affected
For CVE-2026-3055, provided that the appliance is configured as a SAML Identity Provider (SAML IdP), these versions are affected:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
- NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262
For CVE-2026-4368, provided that the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, the following version is affected:
- NetScaler ADC and NetScaler Gateway 14.1-66.54
What to do
Prevention
To prevent exploitation, update affected products to a patched version in accordance with the vendor advisory.
More information
Read more about this alert on the vendor website:
If you require more information or further support, submit a report on our website:
Report an incident
If you need assistance using the tool, call us on 0800 114 115. Calling us is free within New Zealand. We’re open 7am to 7pm, Monday to Friday, and we’re closed on public holidays.
How helpful was this page?
This site is protected by reCAPTCHA and the Google Privacy Policy External Link and Terms of Service External Link apply.