‘Bleed’ Trilogy Complete With Newest Memory Leak in Citrix NetScaler

For the third time in as many years, businesses are being urged to patch a “bleed”-style vulnerability in Citrix NetScaler.

What began with the original Citrix Bleed (CVE-2023-4966) in late 2023 has become a predictable, recurring failure in how these appliances manage sensitive memory. The latest critical flaws (CVE-2026-3055 and CVE-2026-4368) allow unauthenticated remote attackers to bypass multi-factor authentication (MFA) by siphoning active session tokens directly from the device’s memory.

The handling of the vulnerabilities’ disclosure has been equally alarming. Nearly a week before the critical vulnerabilities were disclosed, Citrix’s CEO Kumar Palaniappan emailed customers on March 17, 2026, to “urge immediate attention” across all Citrix products and to apply all available patches and updates immediately. 

The seemingly preemptive outreach, which lacked specific CVE details or technical context, left many IT teams blind to the actual threat they were racing against until the formal security bulletin finally dropped on March 23, 2026. While it’s possible the outreach was due to reports of mass internet scanning for the older CitrixBleed vulnerabilities, the timing is peculiar.

Upon public disclosure, Coalition promptly notified policyholders about the critical vulnerabilities in NetScaler ADC and NetScaler Gateway.

What’s happening?

Citrix NetScaler ADC and Gateway serve as the primary gatekeepers for business networks, managing high-volume traffic and providing secure remote access via SSL VPNs. Because these appliances sit at the network edge, they are high-value targets for attackers who often deploy automated scripts to scan for these entry points within hours of a public disclosure:

• CVE-2026-3055 can allow an unauthenticated attacker to leak sensitive system memory. By sending a specifically crafted request, an attacker can force the appliance to reveal data stored in its memory, which may include administrative credentials, active session cookies, or SSL private keys.

• CVE-2026-4368 can lead to a user session mixup. Under specific timing conditions, the system may incorrectly associate one user's request with another user's authenticated session. This could allow an attacker to hijack a high-privilege session without needing a password or valid credentials.

Coalition analysis indicates that any asset running an unpatched version of these products is at high risk, particularly those configured as a SAML Identity Provider (IdP) or a VPN gateway.

Because these appliances sit at the network edge, they are high-value targets for attackers who often deploy automated scripts to scan for these entry points within hours of a public disclosure.

Who’s at risk?

The vulnerabilities affect several supported versions of the software, as well as versions that have reached end of life (EOL). Businesses running the following versions are at immediate risk:

• NetScaler 14.1: Versions before 14.1-66.59

• NetScaler 13.1: Versions before 13.1-62.23

• NetScaler 13.1 FIPS/NDcPP: Versions before 13.1-37.262

Versions 12.1 and 13.0 are now EOL and remain permanently vulnerable. Any organization still utilizing these versions should prioritize migration to a supported branch immediately.

Coalition analysis indicates that any asset running an unpatched version of these products is at high risk, particularly those configured as a SAML Identity Provider (IdP) or a VPN gateway.

How should businesses address this?

Coalition recommends that all Citrix administrators perform an immediate audit and upgrade their appliances to the latest patched versions.

To determine specific exposure, administrators should inspect their NetScaler configuration for strings related to samlIdPProfile, authentication vserver, or vpn vserver.

For detailed technical guidance and specific build numbers, refer to the Citrix security bulletin.

How Coalition is responding

Coalition notified all impacted policyholders on March 23, 2026, and is actively monitoring for these specific vulnerable configurations. Coalition policyholders can log in to Coalition Control® for the latest updates.

For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

SPOT & STOP CYBER THREATS 

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.