The critical memory overread vulnerability CVE-2026-3055 (CVSS 9.8) in Citrix NetScaler ADC and Gateway allows attackers to exploit malformed SAML authentication requests against exposed IdP endpoints, potentially exposing sensitive session and credential data. Affected versions include NetScaler ADC/Gateway 13.1 from versions before 13.1-37.262 or 13.1-62.23, and version 14.1 before 14.1-60.58. The fixed versions are 13.1-37.262, 13.1-62.23, and 14.1-60.58.
Exploitation activity targeting vulnerable Citrix NetScaler ADC and Gateway appliances remains persistent and widespread, with FortiGuard Labs telemetry continuously observing attack attempts from global sources probing exposed NetScaler SAML endpoints for vulnerable configurations. Analysis from FortiGuard IPS sensors shows sustained targeting of internet-facing NetScaler deployments configured as SAML Identity Providers (IdP). Attackers continue using malformed authentication requests to exploit the memory overread condition associated with CVE-2026-3055, potentially exposing sensitive session data, authentication tokens, and credential material.