Mitigation Strategies

Immediate mitigation steps include disabling or avoiding the configuration of Citrix NetScaler appliances as SAML Identity Providers (IdP), as this configuration is inherently insecure for this vulnerability.

Administrators should monitor for exploitation attempts using detection artifacts and block suspicious traffic targeting the vulnerable endpoints `/saml/login` and `/wsfed/passive?wctx`.

Applying any available patches or updates from Citrix addressing this vulnerability is critical once released.

Until patches are applied, consider implementing network-level controls such as firewall rules or web application firewall (WAF) policies to block or restrict access to the vulnerable endpoints.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-3055 involves multiple memory overread vulnerabilities in Citrix NetScaler appliances, specifically when configured as a SAML Identity Provider (IdP). The vulnerability affects endpoints such as `/saml/login` and `/wsfed/passive?wctx`.

One key flaw occurs when a crafted HTTP GET request includes the `wctx` query parameter that is present but empty and lacks an equals sign (`=`). The vulnerable appliance incorrectly checks only for the presence of this parameter without verifying if it contains a value, leading to access of uninitialized or 'dead' memory.

This causes the appliance to leak kilobytes of memory, which is base64-encoded and returned in the `NSC_TASS` cookie. The leaked memory can contain sensitive information such as HTTP headers, session IDs, and potentially authenticated administrative session tokens.

The memory content varies with each request, allowing attackers to repeatedly extract different chunks of sensitive data. Exploitation has been observed in the wild starting from March 27, 2026.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the disclosure of sensitive information from the NetScaler appliance's memory. Attackers can extract HTTP headers, session IDs, and authenticated administrative session tokens.

Such information leakage can allow attackers to hijack sessions, gain unauthorized administrative access, and potentially compromise the security of the network and connected systems.

Because the memory content changes with each request, attackers can repeatedly exploit this flaw to gather a wide range of sensitive data over time.

Useful 0 Not Useful 0

Detection Guidance

CVE-2026-3055 can be detected by monitoring for crafted HTTP GET requests to the endpoints `/saml/login` and `/wsfed/passive?wctx` on Citrix NetScaler appliances configured as SAML Identity Providers. Specifically, detection focuses on requests where the `wctx` query parameter is present but empty and lacks an equals sign (`=`).

These requests cause the appliance to leak base64-encoded memory content in the `NSC_TASS` cookie, which can be inspected to confirm exploitation attempts.

A Detection Artifact Generator has been released by researchers to help identify vulnerable hosts and ongoing exploitation.

• Monitor HTTP GET requests to `/wsfed/passive?wctx` with an empty `wctx` parameter.
• Inspect responses for the presence of the `NSC_TASS` cookie containing base64-encoded data.
• Look for unusual or repeated requests containing the `Citrix-ns-orig-srcip` header, which may indicate internal exploitation attempts.

While specific commands are not provided in the resources, network administrators can use tools like curl or tcpdump to capture and analyze HTTP traffic to these endpoints, filtering for the described patterns.

Useful 0 Not Useful 0