CVE-2026-3055: Citrix NetScaler ADC/Gateway SAML IdP Memory Overread (CitrixBleed 3) Exposes Session Tokens

A critical new vulnerability, CVE-2026-3055, is being actively probed in the wild, targeting Citrix NetScaler ADC and Gateway appliances configured as SAML Identity Providers. With a CVSS score of 9.3, this unauthenticated memory overread flaw—dubbed 'CitrixBleed 3'—allows attackers to directly leak sensitive session tokens and administrative credentials from the appliance's memory without needing valid login credentials. The prerequisite for exploitation is specific: the targeted system must be configured as a SAML IdP, narrowing the attack surface but creating a high-risk scenario for affected organizations.

The vulnerability is an out-of-bounds memory read. Security researchers, including those from watchTowr, have reported active reconnaissance against the specific endpoints associated with this flaw, indicating threat actors are already mapping vulnerable targets. Detection templates are being developed to perform non-intrusive checks by fingerprinting these reconnaissance activities and validating the state of the SAML/Federated Identity engine, providing defenders a tool to identify potential exposure.

The emergence of CitrixBleed 3 follows a pattern of severe vulnerabilities in these widely deployed network appliances, placing immediate pressure on IT and security teams to audit their configurations and apply patches. Organizations using Citrix NetScaler for SAML-based single sign-on are at particular risk and must urgently consult Citrix Security Bulletin CTX696300. The active scanning suggests exploitation attempts could escalate rapidly, turning reconnaissance into credential harvesting and subsequent network breaches.