**Citrix** has addressed two security vulnerabilities impacting its **NetScaler ADC** networking appliances and **NetScaler Gateway** secure remote access solutions. One of these flaws closely mirrors the **CitrixBleed** and **CitrixBleed2** vulnerabilities that were exploited in zero-day attacks in recent years. ### CVE-2026-3055: A Critical Memory Overread Vulnerability The critical security bug, tracked as **CVE-2026-3055**, stems from insufficient input validation. This can lead to a memory overread on **Citrix ADC** or **Citrix Gateway** appliances configured as a SAML identity provider (IDP). Successful exploitation could allow remote, unprivileged attackers to steal sensitive information, such as session tokens. "**Cloud Software Group** strongly urges affected customers of **NetScaler ADC** and **NetScaler Gateway** to install the relevant updated versions as soon as possible," the company warned in an advisory released on Monday. **Citrix** has also shared detailed guidance on identifying and patching vulnerable **NetScaler** instances. ### CVE-2026-4368: User Session Mix-Ups The second vulnerability, **CVE-2026-4368**, affects appliances configured as Gateways (SSL VPN, ICA Proxy, CVPN, RDP proxy) or AAA virtual servers. This flaw could allow threat actors with low privileges to exploit a race condition in low-complexity attacks, potentially leading to user session mix-ups. ### Affected Versions and Patches Both vulnerabilities affect **NetScaler ADC** and **NetScaler Gateway** versions 13.1 and 14.1 (fixed in 13.1-62.23 and 14.1-66.59) and **NetScaler ADC** 13.1-FIPS and 13.1-NDcPP (addressed in 13.1-37.262). ### Exposure and Urgency **Shadowserver**, an internet security watchdog group, is currently tracking over 30,000 **NetScaler ADC** instances and more than 2,300 **Gateway** instances exposed online. The number of instances using vulnerable configurations or already patched remains unknown.  *Citrix NetScaler ADC instances exposed online (Shadowserver)* ### Echoes of CitrixBleed Cybersecurity firms have highlighted the similarities between **CVE-2026-3055** and the previous **CitrixBleed** and **CitrixBleed2** vulnerabilities, which were actively exploited in zero-day attacks. watchTowr noted, "Unfortunately, many will recognise this as sounding similar to the widely exploited 'CitrixBleed' vulnerability from 2023 and the subsequent 'CitrixBleed2' variant disclosed in 2025, both of which were and continue to be actively leveraged in real-world attacks." Rapid7 added, "Exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public. Therefore, it is crucial that customers running affected **Citrix** systems remediate this vulnerability as soon as possible; **Citrix** software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous 'CitrixBleed' vulnerability, **CVE-2023-4966**, in 2023." ### CISA's History with Citrix Vulnerabilities In August 2025, **CISA** flagged **CitrixBleed2** as actively exploited, giving federal agencies a single day to patch their systems. To date, **CISA** has tagged 21 **Citrix** vulnerabilities as exploited in the wild, with seven being used in ransomware attacks.