
PEACH
Un cadre d’isolation des locataires
CVE-2026-3055 is a critical out-of-bounds read (memory overread) vulnerability in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider (IDP). Insufficient input validation allows unauthenticated remote attackers to trigger memory disclosure, potentially exposing sensitive data including session tokens. The vulnerability was first published on March 23, 2026, with patches released March 31, 2026. Affected versions include NetScaler ADC 13.1 (before 13.1-62.23 standard, before 13.1-37.262 FIPS/NDcPP) and 14.1 (before 14.1-60.58), and NetScaler Gateway 13.1 (before 13.1-62.23) and 14.1 (before 14.1-60.58). It carries a CVSS v3.1 score of 9.8 (Critical) and a CVSS v4.0 score of 9.3 (Critical) (Citrix Advisory, CISA KEV).
The vulnerability is classified as CWE-125 (Out-of-bounds Read) and stems from insufficient input validation in the SAML IDP processing code of NetScaler ADC and Gateway. Notably, CVE-2026-3055 encompasses at least two distinct memory overread bugs affecting different endpoints: /saml/login and /wsfed/passive?wctx. For the WS-Federation endpoint, the flaw occurs when the wctx query parameter is present without an associated value (i.e., without the = symbol); the appliance checks only for the parameter's presence before accessing the associated buffer, rather than verifying that actual data exists. This causes the device to read from uninitialized or adjacent memory and return the contents base64-encoded in the NSC_TASS cookie. Exploitation requires no authentication and no user interaction, but the appliance must be configured as a SAML IDP. A concrete PoC HTTP request (GET /wsfed/passive?wctx HTTP/1.1) was published by watchTowr Labs demonstrating reliable memory disclosure (watchTowr Labs).
Successful exploitation allows an unauthenticated attacker to read kilobytes of process memory from the NetScaler appliance per request, with different memory regions disclosed on each request. Disclosed memory can include sensitive data such as authenticated administrative session IDs, HTTP request headers from other users, cryptographic material, and internal memory pointers — enabling session hijacking and potential full administrative compromise of the appliance. Because NetScaler devices typically sit at the network perimeter handling VPN, SSO, and application delivery, compromise can facilitate lateral movement into internal enterprise networks. The vulnerability has been compared to CitrixBleed (CVE-2023-4966) in severity and exploitation pattern (watchTowr Labs, CISA KEV).
show running-config | grep -i samlIdPProfile on accessible devices./saml/login or /wsfed/passive endpoints for valid responses.wctx parameter present but without a value or = sign:GET /wsfed/passive?wctx HTTP/1.1
Host: <target>NSC_TASS cookie value, which contains base64-encoded process memory from the NetScaler appliance.NSC_TASS cookie contents to obtain raw memory, which may include HTTP request headers from concurrent sessions, session tokens, cryptographic material, and internal pointers./wsfed/passive?wctx (without a value after wctx) or /saml/login from external IPs; high-volume repeated requests to SAML IDP endpoints from a single source IP; outbound connections from the NetScaler to unexpected external hosts./wsfed/passive or /saml/login with malformed or missing parameter values; HTTP 302 responses to these endpoints from unauthenticated sources; anomalous session activity from IPs not associated with known users.NSC_TASS cookie values in HTTP responses to unauthenticated requests — particularly those containing decoded HTTP headers, memory addresses, or session tokens from other users.samlIdPProfile (detectable via show running-config | grep -i samlIdPProfile) on unpatched firmware versions are confirmed vulnerable.Citrix has released patched versions addressing CVE-2026-3055: NetScaler ADC 13.1-62.23 or later (standard), 13.1-37.262 or later (FIPS/NDcPP), and 14.1-60.58 or later; NetScaler Gateway 13.1-62.23 or later and 14.1-60.58 or later. Immediate upgrade to a patched version is the recommended remediation (Citrix Advisory). As a temporary workaround where patching is not immediately possible, restrict network access to SAML IDP endpoints (/saml/login and /wsfed/passive) from untrusted networks using firewall rules or WAF policies. CISA mandated that U.S. federal agencies apply mitigations by April 2, 2026 (CISA KEV). Organizations should also audit NetScaler configurations to determine if SAML IDP mode is necessary and disable it if not required.
Citrix issued an official security bulletin (CTX696300) urging immediate patching and confirmed the vulnerability was identified internally. watchTowr Labs published two detailed technical blog posts (Parts 1 and 2) revealing that CVE-2026-3055 actually covers at least two distinct memory overread bugs, and released a detection artifact generator for defenders — drawing significant community attention and comparisons to CitrixBleed (CVE-2023-4966). Security researchers and media widely described the flaw as "CitrixBleed 3" or a sequel to prior high-profile NetScaler vulnerabilities. BleepingComputer, SecurityWeek, The Hacker News, The Register, and Infosecurity Magazine all covered active exploitation. CISA's rapid KEV listing (within days of disclosure) and the April 2 federal deadline generated substantial discussion on Reddit, Mastodon, and Bluesky. Rapid7 published an ETR blog post and added a Metasploit scanner module. Multiple national CERTs (UK NCSC, Canadian CCCS, EU CERT, Irish NCSC, New Zealand NCSC, Hong Kong GovCERT) issued advisories urging urgent patching (watchTowr Labs, CISA KEV).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."