29MAY

CitrixBleed 3 lands on SAML broker

3 min read

14:17UTC

CVE-2026-3055 is the third critical memory-disclosure bug in NetScaler in thirty months. Researchers are calling it CitrixBleed 3.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyAssessed

Key takeaway

Three CitrixBleed variants in thirty months point to a structural flaw, not three isolated bugs.

Citrix disclosed CVE-2026-3055 on 23 March 2026, an unauthenticated memory overread in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances configured as a Security Assertion Markup Language (SAML) Identity Provider, with a Common Vulnerability Scoring System (CVSS) v4.0 score of 9.3 ¹. A Common Vulnerabilities and Exposures (CVE) number is the public identifier assigned to a given software flaw; the CVSS score rates severity from 0 to 10. Researchers are already calling the new flaw CitrixBleed 3. The attack shape is familiar from the 2023 original: a crafted SAMLRequest to the `/SAML/login` endpoint, omitting the AssertionConsumerServiceURL field, causes the appliance to leak memory via the `NSC_TASS` cookie.

The Cybersecurity and Infrastructure Security Agency (CISA), the US federal cyber defence agency, added the CVE to its Known Exploited Vulnerabilities (KEV) catalogue on 28 March with a 2 April deadline for federal civilian agencies to patch. The KEV catalogue is the authoritative list of bugs confirmed to be exploited in the wild; a place on it triggers a Binding Operational Directive that carries statutory force inside the federal government. Security research firm WatchTowr has detected active reconnaissance in the wild, and the UK National Cyber Security Centre (NCSC), the operational arm of GCHQ, issued a patching advisory to UK operators on 25 March.

Mandiant's incident response on the 2023 CitrixBleed recorded exploitation by the LockBit ransomware affiliate and multiple Advanced Persistent Threat (APT) groups within weeks of public disclosure. CitrixBleed 2 followed in 2024 on the same appliance family. Three serial critical memory-management bugs in thirty months, with the same structural pattern around SAML request parsing, stops being a coincidence. For the enterprises running NetScaler as their SAML broker for single sign-on, which means NetScaler fronts every other authentication decision inside the estate, the appliance is now a top-tier item on the 2026 architecture review, not a patch-management ticket.

Deep Analysis

In plain English

NetScaler is a piece of network equipment made by Citrix that many large companies use as a security gateway: it sits at the entrance to corporate systems and handles user logins. Think of it as the electronic reception desk that checks whether someone's badge is valid before letting them into the building. CVE-2026-3055 is a flaw in how NetScaler processes a specific type of login request. A hacker can send a specially crafted login attempt that causes the equipment to accidentally leak a chunk of its own memory, and that memory contains the digital equivalent of master keys that allow the hacker to log in as a real user without knowing their password. This is the third time in about two and a half years that Citrix has had to patch a critical flaw of this type in the same product. Researchers have already spotted attackers probing for vulnerable systems, which usually means mass exploitation follows within weeks.

Deep Analysis

Root Causes

NetScaler appliances function as SAML Identity Providers for thousands of enterprise single sign-on deployments. The SAML assertion parser runs in a privileged execution context inside the appliance firmware. Memory overread in that context leaks session tokens rather than crashing the service, because the parser is designed to continue operating gracefully on malformed inputs.

The market dynamic compounds the technical problem: NetScaler is a long-cycle enterprise asset. Organisations that replaced their Cisco VPN concentrators with NetScaler in the 2015-2020 era now face a three-serial-CVE appliance in front of every other authentication decision they make, with upgrade cycles measured in financial-year budget cycles rather than weeks.

What could happen next?

Risk
The WatchTowr reconnaissance confirmation, combined with the 21-day CitrixBleed 2023 exploitation arc, puts mass exploitation of CVE-2026-3055 within the Watch For window, potentially before many enterprise patch cycles complete.
Consequence
Three serial critical CVEs in NetScaler SAML processing will accelerate enterprise architecture reviews of whether NetScaler should remain as the SAML broker, benefiting competing identity-plane vendors.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: CVE-2023-4966, the original CitrixBleed, was disclosed in October 2023 and exploited by LockBit, Medusa, and at least four APT groups within weeks of CISA's KEV addition. The exploitation arc from reconnaissance to mass exploitation took approximately 21 days in 2023. WatchTowr's confirmation of active reconnaissance of CVE-2026-3055 before mass exploitation was public places this iteration at the same early stage in that same arc.

Counter-parallel: The 2021 Microsoft Exchange ProxyLogon series (CVE-2021-26855 and three companion CVEs) also involved a chain of memory-handling bugs in a widely-deployed authentication intermediary. Microsoft patched all four in a single release once the structural root cause was identified. Citrix has not yet publicly characterised whether CVE-2026-3055 shares the same root cause as its predecessors, which is itself an informative absence.

Consensus view: Palo Alto Unit 42 and Mandiant both document the structural pattern: three critical memory-disclosure CVEs in NetScaler's SAML processing path across 30 months indicate a shared root cause in how the `NSC_TASS` session-cookie handler manages assertion parser memory, rather than three independent bugs. Unit 42's NetScaler threat intelligence series treats CitrixBleed 3 as a continuation of a known exploitation chain, not a novel attack surface.

Counter-view: ENISA's 2025 threat report assesses that SAML-broker vulnerability patterns in European enterprise estates disproportionately affect mid-market organisations that lack the patch automation infrastructure of large enterprises, arguing the deployment gap, not the vulnerability cadence, is the primary risk driver.

Key tension: Whether Citrix can resolve the underlying memory-management problem in NetScaler's SAML processing code through incremental patches, or whether the architectural decision to handle SAML parsing in C-level appliance firmware makes further variants structurally inevitable.

Sources:Citrix·ENISA

Mentions:Citrix →NetScaler ADC →CISA →WatchTowr →NCSC →Prima →Mandiant →ENISA →Known Exploited Vulnerabilities →TASS →Microsoft →LockBit5 →Security Assertion Markup Language →Common Vulnerability Scoring System →GCHQ →CitrixBleed 3 →

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Citrix· 17 Apr 2026

Read original →

Causes and effects

Caused by

cPanel zero-day ran 65 days before patch; Sorry ransomware active

CVE-2026-41940 inverts the CitrixBleed 3 scenario: that patch existed but was unapplied; here no patch existed during the 65-day exploitation window.

Occurred 30 Apr 2026

Read story →

This Event

CitrixBleed 3 lands on SAML broker

Three serial critical memory overreads in the same product family, exploited in the appliance that fronts enterprise single sign-on, stops looking like three bugs.

Led to

CISA gives Cisco SD-WAN three days to patch

CISA three-day Cisco SD-WAN deadline follows the same emergency-KEV cadence previously applied to CitrixBleed 3 in ID:2544.

Occurred 20 Apr 2026

Read story →

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.