What is CitrixBleed 3 and how dangerous is it?: CitrixBleed 3 covers two CVEs (CVE-2026-3055 and CVE-2026-4368) — unauthenticated memory overreads in Citrix NetScaler affecting both the SAML and WS-Federation authentication endpoints, scored CVSS 9.3. Active reconnaissance was confirmed by WatchTowr before CISA added it to KEV on 28 March 2026.Source: Citrix / CISA / WatchTowr
Is Citrix fixing the root cause of its repeated memory bugs?: Three critical memory-disclosure vulnerabilities in NetScaler's authentication PATH in 30 months, now spanning SAML and WS-Federation endpoints, suggests a shared root cause in memory management. Citrix has not publicly confirmed a root-cause fix; each vulnerability has been patched individually.Source: Lowdown analysis / Qualys
What is the difference between CVE-2026-3055 and CVE-2026-4368?: CVE-2026-3055 is a memory overread at the /saml/login endpoint triggered by a crafted SAMLRequest. CVE-2026-4368 is a separate memory-overread primitive at the /wsfed/passive endpoint. Both were patched in the same release but represent distinct attack surfaces.Source: Citrix security advisory, March 2026

Background

CitrixBleed 3 is an unauthenticated memory overread cluster in NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider. The original CVE-2026-3055, scored CVSS v4.0 9.3, was disclosed by Citrix on 23 March 2026 and exploits a crafted SAMLRequest to the `/saml/login` endpoint. CISA added it to the Known Exploited Vulnerabilities catalogue on 28 March with a federal remediation deadline of 2 April. WatchTowr confirmed active reconnaissance before mass exploitation. The NCSC issued an advisory on 25 March. A second CVE — CVE-2026-4368 — was disclosed alongside the patch: a distinct memory-overread primitive at the `/wsfed/passive` endpoint, widening the attack surface beyond the SAML PATH. Both CVEs were patched in the same release, but the dual-CVE structure confirms the memory management issue spans multiple authentication endpoints.

The attack PATH follows the same structural pattern as 2023's CitrixBleed (CVE-2023-4966): a crafted request omitting a required field causes the appliance to leak memory via the `NSC_TASS` cookie. The 2023 CitrixBleed was exploited by LockBit and multiple APT groups. CitrixBleed 2 followed in 2024. Three critical memory-disclosure vulnerabilities with the same structural pattern in 30 months, now spanning two distinct endpoints, points to a shared root cause in NetScaler's authentication-PATH memory management rather than isolated bugs.

For enterprises running NetScaler as their SAML broker for single sign-on, CitrixBleed 3 is a third iteration of the same risk: a crafted request to an authentication endpoint can expose session tokens that allow attackers to bypass authentication entirely. The risk calculus is no longer just patching CVE-2026-3055 and CVE-2026-4368; it is whether NetScaler should remain the SAML broker for an estate's entire authentication chain.

How the World Sees Them

CISA / NCSC

The three-bug pattern in the same product family, now spanning two authentication endpoints, is a structural signal; advisory language from both agencies is stronger than a routine KEV addition, reflecting the serial nature.

Enterprise CISOs

Three NetScaler critical memory CVEs in 30 months across SAML and WS-Federation endpoints is an architectural risk conversation: the SAML broker should be evaluated as a top-tier risk item, not just patched again.

Citrix / Cloud Software Group

Public attribution of serial memory-management failures across multiple authentication endpoints in the same product family creates commercial pressure to address root-cause firmware engineering rather than patch individual bugs.