Citrix published advisory CTX696300 on March 23, 2026, for CVE-2026-3055 (CVSS 9.3). The flaw is an unauthenticated out-of-bounds memory read in NetScaler ADC and NetScaler Gateway that can leak session tokens from appliance memory. No exploit exists in the wild yet. Rapid7, watchTowr, and Arctic Wolf all expect attackers to reverse-engineer the patch within days.
A remote attacker sends crafted requests that force the appliance to read past the intended buffer. Adjacent memory may contain session tokens, authentication material, or other secrets the device processes. The flaw requires one precondition. The NetScaler appliance must be configured as a SAML Identity Provider (SAML IDP). Rapid7 notes that SAML IDP "is likely a very common configuration for organizations utilizing single sign-on." No public proof-of-concept exists as of publication.
Administrators can check by searching their NetScaler config for add authentication samlIdPProfile.
Only customer-managed instances are affected. Citrix-managed cloud and Adaptive Authentication receive automatic updates. Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and 13.1-FIPS/NDcPP before 13.1-37.262. Citrix discovered the flaw internally during a security review.
NetScaler ADC and Gateway sit at the network edge by design. They handle SSL VPN, remote access, load balancing, and SAML-based single sign-on. Thousands of instances face the public internet. Internet-facing, unauthenticated, low attack complexity, and a precondition (SAML IDP) common in enterprise SSO environments all combine to make CVE-2026-3055 a priority-one patching target.
CVE-2026-3055 allows unauthenticated attackers to leak and read sensitive memory from NetScaler ADC deployments. If it sounds familiar, it's because it is — this vulnerability sounds suspiciously similar to CitrixBleed and CitrixBleed2, which continue to represent a trauma event for many. Imminent exploitation is highly likely.
— Benjamin Harris, CEO and founder, watchTowr
The CitrixBleed comparison is not rhetorical. CVE-2023-4966 (CitrixBleed), disclosed in October 2023, was a memory leak in the same product family. LockBit ransomware operators used it to breach ICBC (the world's largest bank), Boeing, and DP World (one of the world's largest port operators). CISA added it to the Known Exploited Vulnerabilities catalog. Mass exploitation followed within days of disclosure.
CVE-2025-5777 (CitrixBleed2) was another memory read in NetScaler ADC and Gateway. Arctic Wolf confirmed it was "heavily targeted" in 2025. Before CitrixBleed, CVE-2023-3519 (RCE in NetScaler) was added to the CISA KEV catalog in July 2023.
CVE-2026-3055 is the third flaw in the same product with the same vulnerability class. The pattern has been demonstrated twice already. Memory leak on an internet-facing authentication appliance leads to session token theft, then lateral movement, then ransomware.
Because this latest vulnerability was also assigned a critical-severity rating by Citrix, we can infer that CVE-2026-3055 also likely results in a similar level of sensitive memory disclosure that CitrixBleed (CVE-2023-4966) experienced in 2023.
— Ryan Emmons, staff security researcher, Rapid7
A second flaw in the same advisory carries lower but real risk. CVE-2026-4368 (CVSS 7.7) is a race condition that causes user session mix-up. It triggers when NetScaler is configured as a Gateway (SSL VPN, ICA Proxy, RDP Proxy) or AAA virtual server. One user may interact with another user's authenticated session.
This is particularly dangerous because it requires no authentication to trigger and leaves almost no trace in standard logs. We've seen this movie before with CitrixBleed in 2023: attackers will likely reverse-engineer the patch within 48 to 72 hours to create functional exploits.
— Noelle Murata, senior security engineer, Xcape Inc
Cloud Software Group (Citrix's parent) is "not aware of any unmitigated exploit" for either CVE. Anil Shetty, senior VP of Engineering, confirmed the assessment. WatchTowr has already notified active platform clients of their exposure.
Warning
Patch immediately. Update NetScaler ADC and Gateway to 14.1-66.59, 13.1-62.23, or 13.1-NDcPP 13.1-37.262. If patching cannot happen instantly, restrict access to SAML endpoints via ACLs. After patching, terminate all active sessions to invalidate any tokens that may have leaked. Rotate SAML signing certificates, session keys, and any credentials processed through the affected SSO workflow.
The 48-to-72-hour window before functional exploits appear is a reasonable estimate based on prior CitrixBleed timelines. The same product, the same flaw class, the same attack surface. CitrixBleed led to LockBit hitting ICBC and Boeing. CitrixBleed2 was heavily targeted in 2025. CVE-2026-3055 sits at step one of a pattern that has played out twice before.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
