Citrix NetScaler CVE-2026-3055: The SAML Memory-Overread CitrixBleed Echo of 2026

Citrix NetScaler has a recurring nightmare, and its name is memory disclosure. The 2023 CitrixBleed (CVE-2023-4966) and the 2025 CitrixBleed 2 (CVE-2025-5777) both worked the same way: an unauthenticated attacker coaxed the appliance into leaking the contents of its own memory, harvesting session tokens and credentials that enabled session hijacking and full account takeover without ever guessing a password. In 2026 the pattern repeated with CVE-2026-3055, a memory-overread bug in NetScaler ADC and NetScaler Gateway that is reachable when the appliance is configured as a SAML Identity Provider.

The timeline is worth stating plainly because it shaped how May 2026 looked for NetScaler operators. Citrix disclosed CVE-2026-3055 in late March 2026 (NVD published March 23). Within days, researchers at watchTowr and Defused confirmed active in-the-wild exploitation from known threat-actor source IPs, with abuse observed since at least March 27. CISA added it to the Known Exploited Vulnerabilities catalog on March 30 with a remediation deadline of April 2, 2026, a three-day federal window. Multiple researchers warned the campaign could rival the 2023 CitrixBleed event, which fueled LockBit 3.0 and other ransomware operators. The exploitation window did not slam shut on April 2. Memory-disclosure campaigns against NetScaler historically have long tails, and unpatched, internet-facing SAML IdP appliances remained an active target into Q2 2026.

We are publishing this analysis in May 2026 because the operational reality for defenders is still live: the bug is exploited, the patch is the only durable fix, and the secondary cleanup (session and credential rotation) is exactly the step organizations skipped during CitrixBleed and paid for. The disclosure facts below are dated to their actual occurrence in March-April 2026; we flag the distinction explicitly rather than backdating the event.

TL;DR

• CVE-2026-3055 is an unauthenticated out-of-bounds read / memory overread (CWE-125) in NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML Identity Provider (SAML IdP).
• Severity: CVSS v3.1 9.8 (Critical) and CVSS v4.0 9.3 (Critical) per NVD. NVD published it March 23, 2026.
• Active in-the-wild exploitation was confirmed from at least March 27, 2026 (watchTowr, Defused). CISA added it to KEV on March 30, 2026, deadline April 2, 2026.
• Exploitation technique: a crafted SAMLRequest sent to /saml/login that omits the AssertionConsumerServiceURL field, causing the appliance to leak memory contents via the NSC_TASS cookie.
• Affected: NetScaler ADC and Gateway before 13.1-62.23 and 14.1-60.58, plus 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. A companion bug, CVE-2026-4368 (race condition / session mix-up), affects 14.1-66.54.
• Researchers drew explicit comparisons to the 2023 CitrixBleed campaign. The remediation is patch plus session/credential rotation — patching alone does not evict an attacker holding leaked tokens.

What happened

NVD published CVE-2026-3055 on March 23, 2026, describing it as "insufficient input validation in NetScaler ADC and NetScaler Gateway when configured as a SAML IDP leading to memory overread," classified as CWE-125 (out-of-bounds read). NVD assigns CVSS v3.1 9.8 (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CVSS v4.0 9.3.

Citrix's bulletin (CTX696300) covered CVE-2026-3055 alongside CVE-2026-4368, a race condition leading to user session mix-up that can expose one user's session to another. The two bugs have different scopes: CVE-2026-3055 affects NetScaler ADC and Gateway before 13.1-62.23 and 14.1-60.58 (and 13.1-FIPS/13.1-NDcPP before 13.1-37.262), while CVE-2026-4368 affects the 14.1-66.54 build. The critical precondition for CVE-2026-3055 is configuration: the appliance must be acting as a SAML IdP. NetScaler instances used purely as load balancers or as SAML service providers (rather than identity providers) are not in the reachable population for this bug.

Active exploitation followed disclosure almost immediately. Per Cybersecurity Dive, researchers at watchTowr and Defused confirmed that threat actors were exploiting CVE-2026-3055 since at least March 27, 2026, with traffic originating from known threat-actor source IPs. CISA added the CVE to KEV on March 30, 2026 and set an April 2 remediation deadline for federal agencies. Several researchers framed the campaign as a potential repeat of the 2023 CitrixBleed event, which ransomware groups including LockBit 3.0 used to breach major organizations via hijacked sessions.

What is reported versus inferred: the existence, mechanics, CVSS, and KEV status of CVE-2026-3055 are firmly documented. The CitrixBleed comparison is researcher characterization, appropriately hedged, not a confirmed equivalence in scale or victim count. Specific victim organizations for the 2026 campaign were not publicly confirmed at the time of this writing.

Technical analysis

SAML single sign-on works by exchanging signed XML assertions between an Identity Provider (which authenticates the user) and a Service Provider (which trusts the IdP). NetScaler can play the IdP role, terminating SAML requests at /saml/login. CVE-2026-3055 lives in how the appliance parses an incoming SAML authentication request.

Per public reporting, the trigger is a crafted SAMLRequest sent to /saml/login that omits the AssertionConsumerServiceURL field. The AssertionConsumerServiceURL (ACS URL) tells the IdP where to send the SAML response. When it is absent, vulnerable NetScaler builds mishandle the resulting state and read beyond the bounds of an allocated buffer, then reflect leaked memory contents back to the attacker through the NSC_TASS cookie in the response.

The following sketch illustrates the shape of the malicious request for identification and detection purposes. It is intentionally non-functional and omits the working payload.

# ILLUSTRATIVE ONLY — request shape for detection, not a functional exploit.
GET /saml/login?SAMLRequest=<deflated-base64-SAML-AuthnRequest> HTTP/1.1
Host: <netscaler-saml-idp>
# The crafted AuthnRequest OMITS AssertionConsumerServiceURL,
# which on vulnerable builds triggers an out-of-bounds read.

# Vulnerable response reflects leaked memory in the NSC_TASS cookie:
HTTP/1.1 200 OK
Set-Cookie: NSC_TASS=<...attacker-observable leaked heap bytes...>

This is the CitrixBleed family's defining characteristic. The danger is not arbitrary code execution; it is information disclosure of in-process memory. On a NetScaler IdP, that memory can contain active session material, authentication tokens, and other sensitive state. An attacker who scrapes enough memory across repeated requests can recover a valid session token and replay it to impersonate an authenticated user, bypassing both the password and, depending on the SSO design, MFA, because the session was already established. That is why the remediation is two-part. Patching stops new leakage, but any token already exfiltrated remains valid until the session is invalidated. The lesson organizations learned the hard way in 2023 was that patch-only responses left attackers inside via tokens that were harvested before the fix landed.

Because the bug is unauthenticated and the trigger is a single crafted HTTP request to a predictable endpoint, it is trivially automatable and trivially scalable. That combination is what makes a SAML IdP exposure so dangerous: every internet-reachable, unpatched NetScaler IdP is a one-request-away memory faucet, and the cost to the attacker of scraping the entire reachable population is negligible.

What detection looks like

• Requests to /saml/login lacking an ACS URL. Inspect inbound traffic to the SAML login endpoint for SAMLRequest values whose decoded AuthnRequest omits AssertionConsumerServiceURL. Repeated such requests from a source are a strong exploitation indicator.
• Anomalous NSC_TASS cookie activity. Monitor for responses returning unusually sized or high-entropy NSC_TASS cookie values, and for clients harvesting many such responses in a short window.
• Session replay and impossible travel. Because the endgame is session hijacking, watch for authenticated sessions appearing from new IPs/geographies, concurrent use of a single session from disparate locations, and session tokens used outside their expected lifetime.
• Scanning from known threat-actor infrastructure. Correlate /saml/login probing against threat-intel source-IP lists. Public reporting tied the early exploitation to known threat-actor IPs.
• Post-exploitation on adjacent systems. Treat a leaked IdP session as a potential foothold into every service that trusts the IdP. Hunt for unexpected logins to downstream applications that follow suspicious NetScaler activity.

What to do Monday morning

1. Identify every NetScaler ADC/Gateway acting as a SAML IdP. This is the reachable population. Confirm the role in the appliance configuration; do not assume from the hostname.
2. Patch to a fixed build immediately. Upgrade to NetScaler ADC/Gateway 14.1-60.58 or 13.1-62.23 or later (and 13.1-37.262 for FIPS/NDcPP). For FCEB agencies the deadline was April 2, 2026; everyone else should treat it the same given confirmed exploitation.
3. Terminate and rotate sessions and credentials — this is the step you cannot skip. After patching, kill all active NetScaler sessions, invalidate session tokens, and rotate credentials and secrets that may have transited the appliance's memory. This is precisely the CitrixBleed lesson: a patch does not revoke a token an attacker already stole.
4. Hunt for prior compromise. Review logs back to at least March 23, 2026 for the /saml/login and NSC_TASS indicators above and for downstream session anomalies. If the appliance was internet-reachable and unpatched during the exploitation window, assume token theft and act accordingly.
5. Reduce exposure of the management and SAML surfaces. Restrict administrative access to a management network, and where feasible front the SAML IdP endpoint with additional controls. Removing unnecessary internet exposure shrinks the attack surface for the next memory-disclosure bug, of which there will be one.
6. Re-baseline downstream trust. Force re-authentication on applications federated to the affected IdP, and review for unauthorized access that could have used a hijacked session.

Why this keeps happening

This is the third CitrixBleed-class memory-disclosure bug in NetScaler in roughly three years (2023, 2025, 2026). That is not coincidence; it is a structural signature. NetScaler is a high-performance C-based appliance that terminates complex, attacker-controlled protocols (HTTP, TLS, and SAML XML) at the network edge. Each of those protocols is a parsing surface, and parsing surfaces in memory-unsafe code are where out-of-bounds reads live. SAML in particular is a notoriously fiddly XML dialect with optional fields, signature wrapping, and state that is easy to mishandle, and the IdP role forces NetScaler to parse untrusted AuthnRequests before any authentication has occurred.

The compounding factor is what the appliance holds in memory. A device that brokers SSO necessarily has session tokens and authentication material resident in process memory. An information-disclosure bug on a generic web server might leak uninteresting bytes; the same bug on an SSO IdP leaks the keys to the kingdom. High-value memory plus a pre-auth parsing surface plus internet exposure is a recurring recipe, and as long as those three properties coexist, the CitrixBleed pattern will keep recurring under new CVE numbers.

There is also a defender-side structural failure that the 2023 event exposed and 2026 risked repeating: the patch-only response. Organizations treated CitrixBleed as a patch ticket, applied the fix, and closed it, without rotating the sessions an attacker had already harvested. Ransomware operators walked in on stolen tokens weeks later. The memory-disclosure class specifically defeats patch-only remediation, and that operational lesson is still not universally internalized.

The structural fix

The first job is knowing which of your NetScaler appliances are actually in the reachable, exploitable population: internet-facing and configured as a SAML IdP, not merely "running an affected version." Reachability analysis is the discipline that separates the affected-build inventory from the genuinely-exposed subset, so engineers patch and rotate the IdPs that matter first instead of treating every NetScaler equally. Because CVE-2026-3055 arrived on KEV with active exploitation, a fast zero-day response loop is what shortens dwell time, turning the KEV entry into an inventory query, a patch action, a session-rotation step, and a hunt checklist within hours. Tracking the CVE through a consistent CVE/CWE/EPSS/KEV lens keeps the prioritization honest when the next memory-disclosure bug lands. None of this prevents the underlying parsing flaw; it shrinks the window between disclosure and a patched, session-rotated, hunted estate, which is the window that turned CitrixBleed into ransomware.

What we know we don't know

• The scale of the 2026 campaign. The CitrixBleed comparison is a researcher warning, not a confirmed equivalence. Victim counts and named organizations were not publicly established at the time of writing.
• Which threat actors are involved. Early exploitation traced to known threat-actor IPs, but specific group attribution for CVE-2026-3055 is not public.
• How much memory and what specifically leaked. The NSC_TASS leakage vector is documented; the precise bounds of what each leak exposes depend on appliance state and are not fully characterized publicly.
• The exploitation tail length. Memory-disclosure campaigns against NetScaler have historically run long after the patch. How far into 2026 active abuse continued is a live, evolving question.

References

• NVD, CVE-2026-3055: https://nvd.nist.gov/vuln/detail/CVE-2026-3055
• Citrix, "Security Bulletin for CVE-2026-3055 and CVE-2026-4368" (CTX696300): https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
• The Hacker News, "Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks": https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
• Cybersecurity Dive, "Citrix NetScaler products confirmed to be under exploitation": https://www.cybersecuritydive.com/news/citrix-netscaler-exploitation-vulnerabilities/816097/
• BleepingComputer, "Critical Citrix NetScaler memory flaw actively exploited in attacks": https://www.bleepingcomputer.com/news/security/critical-citrix-netscaler-memory-flaw-actively-exploited-in-attacks/

Internal reading:

• Reachability analysis
• CVE, CWE, EPSS, and KEV explained
• Zero-day response
• Incident response use case
• CISO role