Common Questions

Is Citrix NetScaler still being hacked in 2026?: Yes. Citrix disclosed CVE-2026-3055 (CitrixBleed 3) on 23 March 2026, the third critical memory-disclosure vulnerability in NetScaler in 30 months. CISA added it to KEV as actively exploited with a 2 April remediation deadline.Source: Citrix / CISA
What is CitrixBleed and why does it keep happening?: CitrixBleed is a series of critical memory-disclosure vulnerabilities in Citrix NetScaler's SAML login PATH. Three variants appeared in 30 months (2023, 2024, 2026), sharing the same structural pattern, which security researchers attribute to a root-cause memory-management problem rather than three independent bugs.Source: Qualys / Picus / Lowdown
How does CitrixBleed compare to the cPanel zero-day in terms of vendor response?: The cPanel CVE-2026-41940 zero-day ran 65 days before a patch shipped, but a patch did eventually arrive and was applied. CitrixBleed 3 is the third iteration of the same root-cause flaw, suggesting repeated patching has not resolved the underlying architecture problem in NetScaler's SAML processing.Source: WatchTowr Labs / CISA

Background

Citrix (now part of Cloud Software Group) disclosed CVE-2026-3055 (CitrixBleed 3) on 23 March 2026, the third critical memory-disclosure vulnerability in NetScaler ADC and NetScaler Gateway in thirty months. The CVE was scored CVSS v4.0 9.3 and added to the CISA Known Exploited Vulnerabilities catalogue on 28 March with a federal remediation deadline of 2 April. WatchTowr confirmed active reconnaissance before mass exploitation.

Citrix provides enterprise networking and virtualisation software, with NetScaler being its primary application delivery and security product. NetScaler is deployed at the edge of enterprise networks, often as the SAML Identity Provider for single sign-on. The three CitrixBleed vulnerabilities (2023, 2024, 2026) share the same structural pattern: crafted SAML requests to NetScaler endpoints expose session tokens or memory contents, enabling authentication bypass. Security researchers have assessed this as a root-cause architecture problem rather than three independent bugs.

The CitrixBleed series has become the reference case for the inverse of responsible disclosure success: cPanel's CVE-2026-41940 zero-day (disclosed by WatchTowr Labs in May 2026) ran for 65 days before a patch shipped — but a patch at least existed and was eventually applied. By contrast, CitrixBleed 3's three-iteration exploit history raises the question of whether repeated patches are managing symptoms rather than root cause. For enterprises running NetScaler as their SAML broker, the series has shifted the risk conversation from patch management to architecture: whether NetScaler should remain in front of an organisation's entire SSO chain given a documented pattern. The NCSC issued an advisory on 25 March 2026 and CISA on 28 March.

How the World Sees Them

CISA / NCSC

Three serial memory CVEs in the same NetScaler SAML path is a pattern alert; CISA's KEV deadline is the regulatory hammer, NCSC's advisory the allied amplification.

Enterprise CISOs

The architectural question post-CitrixBleed 3 is whether NetScaler should be the SAML broker for an entire SSO estate given its serial-CVE history.

Citrix / Cloud Software Group

Each CitrixBleed iteration raises customer retention risk; the commercial pressure to fix the root-cause memory management architecture rather than patch individual bugs is significant.