Citrix Patches CVE-2026-3055 in NetScaler: A 9.3 Memory Flaw That Looks a Lot Like CitrixBleed

John Z Black Mar 26, 2026 Vulnerabilities & Patching #citrix #netscaler #cve-2026-3055 #patching #enterprise-security #vulnerability

No active exploitation. No public proof-of-concept. So why are researchers calling this one “poised for exploitation”?

CVE-2026-3055 is a CVSS 9.3 unauthenticated memory read in NetScaler ADC and Gateway. No credentials required. An attacker sends a crafted request, and the appliance hands back memory contents it shouldn’t. That can include active session tokens for users currently authenticated through the device.

If you remember CitrixBleed, CVE-2023-4966, same class of flaw, same component, same “serious but not yet actively exploited” framing at disclosure. LockBit and others weaponized it within weeks. The window between “Citrix patches a session-token leak” and “ransomware groups have working exploits” has historically been short.

Cloud-managed NetScaler customers are already covered. If you’re running self-managed, on-premises instances with SAML enabled, this is an emergency change window situation. Don’t wait for a maintenance window. Escalate past it.

Why the CitrixBleed comparison is pattern recognition, not alarmism, and what to do about it tonight.