Citrix published an advisory on March 23 for CVE-2026-3055, a critical flaw in NetScaler ADC and NetScaler Gateway appliances rated CVSS 9.3. The bug is a memory overread: insufficient input validation makes the device hand back chunks of its own memory to anyone who knows how to ask. Those chunks can include valid session tokens, and with an administrative session token an attacker walks into the network without a password and without passing the second factor.
Who is affected
Only appliances configured as a SAML Identity Provider (SAML IdP) are vulnerable. If your NetScaler does not act as a SAML IdP, this particular CVE does not touch you, though it is worth checking anyway since configurations drift over time. Affected versions:
- NetScaler ADC and Gateway 14.1 before 14.1-60.58
- NetScaler ADC and Gateway 13.1 before 13.1-62.23
- NetScaler ADC FIPS and NDcPP before 13.1-37.262
Versions 13.0 and 12.1 are end of life and get no patch, so if you are still on those branches the only real path forward is migration.
How it is exploited
The attack targets the /saml/login endpoint. The attacker sends a crafted SAMLRequest that omits the AssertionConsumerServiceURL field, and the appliance responds by leaking memory contents through the NSC_TASS cookie. Repeating the request pulls out fragment after fragment until something useful turns up. No authentication or prior access is needed; reaching the device over the network is enough.
This is being exploited in the wild. CrowdSec spotted the first traces on March 27, only days after disclosure, and CISA added the flaw to its KEV catalog with an April 2, 2026 deadline for federal agencies. The resemblance to CitrixBleed has earned it the nickname “CitrixBleed 3” across several analyses.
What to do
Update to a patched build as soon as you can:
- 14.1 branch: 14.1-60.58 or later
- 13.1 branch: 13.1-62.23 or later
- FIPS / NDcPP: 13.1-37.262 or later
Patching alone is not enough. If your appliance was exposed, assume session tokens already leaked, so after upgrading terminate every active session (ICA, PCoIP, AAA and management) to invalidate any stolen credentials. Check the logs for odd requests against /saml/login, and until you can patch, restrict access to the SAML endpoint from untrusted networks.
Citrix bundled this advisory with CVE-2026-4368 in bulletin CTX696300, so cover both when you review.