CVE-2026-3055

CVE-2026-3055 is the vulnerability designated CitrixBleed 3: an unauthenticated memory overread in Citrix NetScaler ADC and NetScaler Gateway when configured as a SAML Identity Provider, scored CVSS v4.0 9.3. Citrix disclosed it on 23 March 2026; CISA added it to the Known Exploited Vulnerabilities catalogue on 28 March with a federal remediation deadline of 2 April. WatchTowr confirmed active reconnaissance before mass exploitation; the NCSC issued an advisory on 25 March.

The technical attack path follows the CitrixBleed 2023 template: a crafted SAMLRequest to the `/saml/login` endpoint that omits the AssertionConsumerServiceURL field causes NetScaler to leak memory via the `NSC_TASS` cookie. The leaked memory can contain session tokens, enabling authentication bypass for any application protected by the compromised SAML broker without requiring a valid username or password.

The CVE's appearance is the third iteration of a structurally identical class of memory-disclosure vulnerability in NetScaler's SAML code in thirty months (CVE-2023-4966 in 2023; a 2024 variant; CVE-2026-3055 in 2026). Security researchers at Qualys and Picus have assessed this pattern as evidence of a shared root cause in NetScaler's SAML request memory management, rather than three independent bugs. Enterprises using NetScaler as their SAML broker must patch immediately and should add the CVE to a formal architecture-review agenda.