Citrix has released fixes for six vulnerabilities in NetScaler ADC and NetScaler Gateway, including a high-severity memory-disclosure flaw that researchers place in the same class as the 2023 CitrixBleed bug. That flaw (CVE-2026-8451, rated 8.8) leaks small amounts of memory through malformed SAML requests and shares a root cause with an earlier NetScaler bug that was exploited within days of disclosure. The bulletin also covers an unauthenticated arbitrary file read and several denial-of-service issues, with CVSS scores from 6.9 to 8.8. No exploitation has been reported yet, but NetScaler appliances have drawn more than 20 entries on CISA's exploited-vulnerabilities list in three years, several used in ransomware.
The Citrix NetScaler flaw we reported under active recon two days ago has escalated fast. Attackers are now sending crafted SAMLRequest payloads that trigger memory leaks exposing sensitive data through session cookies. CISA added CVE-2026-3055 to the Known Exploited Vulnerabilities catalog on March 30 with an unusually tight April 2 remediation deadline - just three days for federal agencies.
Attackers are scanning internet-facing Citrix NetScaler ADC and Gateway appliances right now, probing the /cgi/GetAuthMethods endpoint to find which ones are configured as SAML identity providers - the exact setup needed to trigger this CVSS 9.3 memory-leak flaw. Not full exploitation yet, but researchers at watchTowr warn the jump from recon to attack could happen any day.