OrganisationUS

Citrix

US enterprise networking vendor whose NetScaler product has suffered three critical memory CVEs in 30 months, including CitrixBleed 3 (CVE-2026-3055).

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Should enterprises still use Citrix NetScaler as their SAML login gateway?

Timeline for Citrix

#117 Apr

Disclosed CVE-2026-3055 unauthenticated memory overread in NetScaler ADC and Gateway SAML IdP path

Cybersecurity: Threats and Defences: CitrixBleed 3 lands on SAML broker

#117 Apr

Mentioned in: Trump proposes $707m CISA cut, 860 jobs

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Is Citrix NetScaler still being hacked in 2026?: Yes. Citrix disclosed CVE-2026-3055 (CitrixBleed 3) on 23 March 2026, the third critical memory-disclosure vulnerability in NetScaler in 30 months. CISA added it to KEV as actively exploited with a 2 April remediation deadline.Source: Citrix / CISA
What is CitrixBleed and why does it keep happening?: CitrixBleed is a series of critical memory-disclosure vulnerabilities in Citrix NetScaler's SAML login path. Three variants appeared in 30 months (2023, 2024, 2026), sharing the same structural pattern, which security researchers attribute to a root-cause memory-management problem rather than three independent bugs.Source: Qualys / Picus / Lowdown

Background

Citrix (now part of Cloud Software Group) disclosed CVE-2026-3055 (CitrixBleed 3) on 23 March 2026, the third critical memory-disclosure vulnerability in NetScaler ADC and NetScaler Gateway in thirty months. The CVE was scored CVSS v4.0 9.3 and added to the CISA Known Exploited Vulnerabilities catalogue on 28 March with a federal remediation deadline of 2 April. WatchTowr confirmed active reconnaissance before mass exploitation.

Citrix provides enterprise networking and virtualisation software, with NetScaler being its primary application delivery and security product. NetScaler is deployed at the edge of enterprise networks, often as the SAML Identity Provider for single sign-on. The three CitrixBleed vulnerabilities (2023, 2024, 2026) share the same structural pattern: crafted SAML requests to NetScaler endpoints expose session tokens or memory contents, enabling authentication bypass. Security researchers have assessed this as a root-cause architecture problem rather than three independent bugs.

For enterprises running NetScaler as their SAML broker, the CitrixBleed series has shifted the risk conversation from patch management to architecture: whether NetScaler should remain in front of an organisation's entire SSO chain given a three-iteration exploit pattern. The NCSC issued an advisory on 25 March 2026 and CISA on 28 March.

How the World Sees Them

CISA / NCSC

Three serial memory CVEs in the same NetScaler SAML path is a pattern alert; CISA's KEV deadline is the regulatory hammer, NCSC's advisory the allied amplification.

Enterprise CISOs

The architectural question post-CitrixBleed 3 is whether NetScaler should be the SAML broker for an entire SSO estate given its serial-CVE history.

Citrix / Cloud Software Group

Each CitrixBleed iteration raises customer retention risk; the commercial pressure to fix the root-cause memory management architecture rather than patch individual bugs is significant.