Citrix urges admins to patch critical NetScaler flaws CVE-2026-3055 and CVE-2026-4368. The memory‑read bug resembles CitrixBleed; over 30,000 instances exposed online

Continue reading
Citrix has released critical security updates to address two vulnerabilities affecting its NetScaler ADC (Application Delivery Controller) and NetScaler Gateway products, warning administrators to apply the patches immediately. The most severe of the two, tracked as CVE-2026-3055, bears striking similarities to the infamous “CitrixBleed” vulnerabilities that were exploited in widespread zero-day attacks over the past several years.
The company warned that failure to patch could allow unauthenticated attackers to steal sensitive information, including session tokens, potentially leading to a full system compromise.
The critical vulnerability, CVE-2026-3055, stems from insufficient input validation that results in a memory overread condition. This flaw affects appliances configured as a SAML identity provider (IDP). According to Citrix, a remote attacker with no privileges could exploit this to _“steal sensitive information such as session tokens.”_
Security researchers were quick to note the vulnerability’s resemblance to past high-profile flaws.
_“Unfortunately, many will recognize this as sounding similar to the widely exploited ‘CitrixBleed’ vulnerability from 2023 and the subsequent ‘CitrixBleed2’ variant disclosed in 2025, both of which were and continue to be actively leveraged in real-world attacks,”_ said cybersecurity firm watchTowr in an analysis.
Although Citrix stated the vulnerability was discovered internally, experts warn that threat actors are likely to reverse-engineer the patch to create working exploits. Rapid7 echoed this concern, stating that _“exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public,”_ noting that Citrix software has a history of memory leak vulnerabilities being broadly weaponized.
Alongside the critical flaw, Citrix patched a second vulnerability, CVE-2026-4368. This issue affects appliances configured as Gateways (SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual servers. It allows attackers with low privileges to exploit a race condition, potentially leading to user session mix-ups.
Both vulnerabilities impact the following supported versions:
The issues are fixed in the following updated versions:
According to the Shadowserver Foundation, an internet security watchdog, there are currently more than 30,000 NetScaler ADC instances and over 2,300 Gateway instances exposed online. While it remains unclear how many of these are using vulnerable configurations or have already applied patches, the large attack surface has heightened concerns.
Citrix urged customers to act swiftly. _“Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible,”_ the company stated in its advisory, providing detailed guidance on identifying and patching vulnerable instances.
The urgency is underscored by the history of similar flaws. In August 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged the “CitrixBleed2” vulnerability as actively exploited, giving federal agencies just one day to secure their systems. To date, CISA has added 21 Citrix vulnerabilities to its Known Exploited Vulnerabilities catalog, seven of which have been leveraged in ransomware attacks.
Administrators are advised to review Citrix’s security bulletin immediately and prioritize patching these flaws to prevent potential data breaches and unauthorized network access.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.