ProductUS

NetScaler ADC

Citrix application delivery controller; three critical memory CVEs in 30 months including CitrixBleed 3 targeting its SAML Identity Provider path.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Why does NetScaler's SAML login keep producing critical vulnerabilities?

Timeline for NetScaler ADC

#117 Apr

Contained critical memory overread vulnerability in SAML IdP configuration path

Cybersecurity: Threats and Defences: CitrixBleed 3 lands on SAML broker

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is NetScaler ADC used for?: NetScaler ADC is Citrix's application delivery controller, used as a load balancer, SSL VPN, and SAML Identity Provider for enterprise SSO. Its edge position in authentication infrastructure makes critical CVEs in its SAML path high-impact.
Is NetScaler vulnerable in 2026?: Yes. CVE-2026-3055 (CitrixBleed 3) was disclosed in March 2026, the third critical memory CVE in NetScaler's SAML path in 30 months. CISA added it to KEV on 28 March as actively exploited.Source: Citrix / CISA

Background

NetScaler Application Delivery Controller (ADC) is the primary product affected by CVE-2026-3055 (CitrixBleed 3), an unauthenticated memory overread in the appliance's SAML Identity Provider path, scored CVSS v4.0 9.3. CISA added the CVE to its Known Exploited Vulnerabilities catalogue on 28 March 2026 with a federal remediation deadline of 2 April. Active reconnaissance was confirmed by WatchTowr.

NetScaler ADC is a widely deployed enterprise application delivery and load-balancing appliance that many organisations position as the SAML Identity Provider for their SSO infrastructure. Its edge position, fronting authentication for hundreds of downstream applications, makes critical vulnerabilities in its SAML endpoint a maximum-impact risk: exploiting the memory overread provides session tokens enabling authentication bypass across everything the appliance protects.

The three CitrixBleed vulnerabilities in 2023, 2024 and 2026 all occur at the same NetScaler SAML endpoint (`/saml/login`). The 2023 original was exploited by LockBit and multiple APT groups. Mandiant's original Incident Response on CitrixBleed 2023 documented the attack path that CitrixBleed 3 repeats with the same structural signature. For enterprise architects, the repeat pattern makes a product-category architecture review (replace NetScaler as SAML broker) more justifiable than a further patch-and-wait posture.

How the World Sees Them

CISA

NetScaler's critical-vulnerability pattern means it appears on KEV with high regularity; each addition extends federal patching obligations to an expanding installed base.

LockBit / APT groups

CitrixBleed 2023 was exploited by LockBit and multiple state groups; the 2026 variant reactivates a proven exploit path against the same product family.

Enterprise network architects

Three NetScaler SAML CVEs sharing the same structural attack path are a product-architecture signal; the patch cycle is not a long-term mitigation.