CitrixBleed 3
CVE-2026-3055: unauthenticated memory overread in NetScaler SAML IdP path, CVSS 9.3; third critical memory bug in Citrix NetScaler in 30 months.
Last refreshed: 17 April 2026
Why does Citrix NetScaler keep getting the same kind of critical memory bug?
Timeline for CitrixBleed 3
Mentioned in: CitrixBleed 3 lands on SAML broker
Cybersecurity: Threats and DefencesMentioned in: Trump proposes $707m CISA cut, 860 jobs
Cybersecurity: Threats and Defences- What is CitrixBleed 3 and how dangerous is it?
- CitrixBleed 3 (CVE-2026-3055) is an unauthenticated memory overread in Citrix NetScaler when used as a SAML Identity Provider, scored CVSS 9.3. Active reconnaissance was confirmed by WatchTowr before CISA added it to KEV on 28 March 2026.Source: Citrix / CISA / WatchTowr
- Is Citrix fixing the root cause of its repeated memory bugs?
- Three critical memory-disclosure vulnerabilities in NetScaler's SAML path in 30 months suggests a shared root cause in memory management rather than independent bugs. Citrix has not publicly confirmed a root-cause fix; each vulnerability has been patched individually.Source: Lowdown analysis / Qualys
Background
CitrixBleed 3 (CVE-2026-3055) is an unauthenticated memory overread in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, scored CVSS v4.0 9.3. Citrix disclosed the CVE on 23 March 2026; CISA added it to the Known Exploited Vulnerabilities catalogue on 28 March with a federal remediation deadline of 2 April. WatchTowr confirmed active reconnaissance before mass exploitation. The NCSC issued an advisory on 25 March.
The attack path follows the same structural pattern as 2023's CitrixBleed (CVE-2023-4966): a crafted SAMLRequest to the `/saml/login` endpoint, omitting the AssertionConsumerServiceURL field, causes the appliance to leak memory via the `NSC_TASS` cookie. The 2023 CitrixBleed was exploited by LockBit and multiple APT groups. CitrixBleed 2 followed in 2024. Three critical memory-disclosure vulnerabilities with the same structural pattern in 30 months points to a shared root cause in NetScaler's SAML request memory management rather than three independent bugs.
For enterprises running NetScaler as their SAML broker for single sign-on, CitrixBleed 3 is a third iteration of the same risk: a crafted request to the authentication endpoint can expose session tokens that allow attackers to bypass authentication entirely. The risk calculus is no longer just patching CVE-2026-3055; it is whether NetScaler should remain the SAML broker for an estate's entire authentication chain.