CVE-2026-3055

CRITICAL KEV NUCLEI

Insufficient input validation leading to memory overread

Title source: cna

Exploitation Summary

CVE-2026-3055 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 30, 2026. EIP tracks 6 public exploits from researchers including NetVanguard-cmd, l0lsec, fevar54, including a Metasploit module auxiliary/scanner/http/citrix_netscaler_cve_2026_3055. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository claims to exploit CVE-2026-3055, a memory overread vulnerability in NetScaler ADC/Gateway SAML IDP, but provides no actual exploit code. Instead, it directs users to an external download link (tinyurl.com), which is a common tactic for distributing malware or fake exploits.

Description

Insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread

Exploits (6)

nomisec SUSPICIOUS

by NetVanguard-cmd · poc

https://github.com/NetVanguard-cmd/CVE-2026-3055

View Code ZIP pw:eip

The repository claims to exploit CVE-2026-3055, a memory overread vulnerability in NetScaler ADC/Gateway SAML IDP, but provides no actual exploit code. Instead, it directs users to an external download link (tinyurl.com), which is a common tactic for distributing malware or fake exploits.

Classification

Suspicious 95%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: NetScaler ADC and NetScaler Gateway (SAML IDP configuration)

No auth needed

Prerequisites: Reachable vulnerable target · Predictable user/workflow context

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 19, 2026 Full analysis →

nomisec SCANNER

by l0lsec · poc

https://github.com/l0lsec/check-cve-2026-3055-netscaler

View Code ZIP pw:eip

This repository contains a Python script that scans for CVE-2026-3055, a memory overread vulnerability in Citrix NetScaler appliances configured as SAML Identity Providers. The script sends a crafted SAML request to detect the presence of the vulnerability by checking for specific response markers.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Citrix NetScaler / NetScaler Gateway (configured as SAML IdP)

No auth needed

Prerequisites: Target must be configured as a SAML Identity Provider · Access to the `/saml/login` endpoint

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec SCANNER

by fevar54 · poc

https://github.com/fevar54/CVE-2026-3055-Scanner---Herramienta-de-Detecci-n

View Code ZIP pw:eip

This repository contains a Python-based scanner for detecting CVE-2026-3055, a memory overread vulnerability in Citrix NetScaler ADC and Gateway. The tool checks for memory leaks via the NSC_TASS cookie and extracts session IDs from leaked data.

Classification

Scanner 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Citrix NetScaler ADC and Gateway

No auth needed

Prerequisites: network access to target · Python 3.8+

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec SCANNER

by fevar54 · poc

https://github.com/fevar54/CVE-2026-3055---Citrix-NetScaler-Memory-Overread-PoC

View Code ZIP pw:eip

The repository contains a Python script that checks for the presence of CVE-2026-3055 in Citrix NetScaler by sending a request to the vulnerable endpoint and analyzing the response cookies for signs of memory leakage. It does not include exploit code but provides a detection mechanism.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Citrix NetScaler ADC and NetScaler Gateway (SAML IDP configuration)

No auth needed

Prerequisites: Network access to the target NetScaler instance

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WRITEUP

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-3055

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-3055, an unauthenticated out-of-bounds memory read vulnerability in Citrix NetScaler ADC and Gateway when configured as a SAML Identity Provider (IdP). It includes vulnerability details, affected versions, remediation steps, and references but does not contain exploit code.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Theoretical

Target: Citrix NetScaler ADC and Gateway (versions 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and 13.1 FIPS/NDcPP before 13.1-37.262)

No auth needed

Prerequisites: Target must be configured as a SAML Identity Provider (IdP) · Network reachability to SAML endpoints

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Apr 09, 2026 Full analysis →

metasploit SCANNER

by watchTowr, sfewer-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/citrix_netscaler_cve_2026_3055.rb

View Code ZIP pw:eip

This Metasploit module scans for CVE-2026-3055, a memory leak vulnerability in Citrix ADC (NetScaler) SAML IdP configurations. It detects the presence of the vulnerability by checking for leaked memory in the NSC_TASS cookie and attempts to extract session cookies from the leaked data.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Citrix ADC (NetScaler) configured as a SAML IdP

No auth needed

Prerequisites: Target must be a Citrix ADC (NetScaler) configured as a SAML IdP · Network access to the target on port 443

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 20, 2026 Full analysis →

Nuclei Templates (1)

Citrix NetScaler SAML IDP - Memory Overread

CRITICALVERIFIEDby watchtowr,shaikhyaser,DhiyaneshDk

Shodan: title:"NetScaler Gateway" || title:"NetScaler AAA" || http.favicon.hash:-1166125415 || http.favicon.hash:-1292923998

FOFA: title="NetScaler Gateway" || title="NetScaler AAA" || icon_hash="-1166125415" || icon_hash="-1292923998"

References (3)

Core 3

Core References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300

Various Sources

https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-3055

Scores

CVSS v3 9.8

EPSS 0.8992

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2026-03-30

VulnCheck KEV 2026-03-29

ENISA EUVD EUVD-2026-14546

CWE

CWE-125

Status published

Products (8)

citrix/netscaler_application_delivery_controller 13.1 - 13.1-37.262 (2 CPE variants)

citrix/netscaler_application_delivery_controller 13.1 - 13.1-62.23

citrix/netscaler_gateway 13.1 - 13.1-62.23

NetScaler/ADC 13.1 - 62.23

NetScaler/ADC 13.1 FIPS and NDcPP - 37.262

NetScaler/ADC 14.1 - 66.59

NetScaler/Gateway 13.1 - 62.23

NetScaler/Gateway 14.1 - 66.59

Published Mar 23, 2026

KEV Added Mar 30, 2026

Tracked Since Mar 24, 2026