Published: Thu 2 July 2026
Prepared by: Brandon Sawyer, Vulnerability Analyst
On 30 June 2026 Citrix has disclosed CVE-2026-8451, a high-severity (CVSS v4.0: 8.8) pre-authentication memory overread vulnerability affecting NetScaler ADC and NetScaler Gateway appliances configured as a SAML Identity Provider (IdP). Security researchers at watchTowr have attributed this CVE to the infamous "CitrixBleed" , highlighting its similarity to previous Citrix NetScaler memory disclosure vulnerabilities that have been widely exploited in real-world attacks. Researchers identified the flaw while analysing previous CitrixBleed related vulnerabilities and have expressed concern regarding the continued emergence of memory disclosure issues within the NetScaler platform.
At the time of writing, there is no public confirmation of active exploitation; however, given the history of exploitation associated with CitrixBleed class vulnerabilities, organisations should prioritise remediation of affected systems.
CVE-2026-8451 is caused by insufficient input validation and may allow a remote, unauthenticated attacker to read portions of appliance memory. The vulnerability is classified as an out-of-bounds read resulting from insufficient input validation during processing of SAML authentication requests. The issue affects NetScaler appliances operating as a SAML IdP and may allow an unauthenticated attacker to trigger disclosure of sensitive memory contents from the appliance.
According to watchTowr's analysis, the vulnerability exists within custom XML parsing logic used during SAML authentication processing. Researchers identified conditions where malformed SAML authentication requests could cause the appliance to read beyond intended memory boundaries, potentially exposing sensitive information stored in process memory.
Successful exploitation may allow an unauthenticated attacker to disclose sensitive information from appliance memory. Depending on the contents exposed, this could result in:
Citrix customers are advised to check affected systems and upgrade to fixed versions immediately.
|
Product |
Affected Version |
Fixed Version |
|
NetScaler ADC & Gateway 14.1 |
< 14.1-72.61
|
≥ 14.1-72.61
|
|
NetScaler ADC & Gateway 13.1 |
< 13.1-63.18
|
≥ 13.1-63.18
|
|
NetScaler ADC FIPS 14.1
|
< 14.1-72.61 FIPS
|
≥ 14.1-72.61 FIPS
|
|
NetScaler ADC FIPS / NDcPP 13.1
|
< 13.1-37.272
|
≥ 13.1-37.272
|
Note: NetScaler ADC or NetScaler Gateway must be configured as a SAML IDP as a precondition to be vulnerable to CVE-2026-8451. Customers can determine if the appliance meets the precondition by inspecting their NetScaler configuration for the specified string:
"add authentication samlIdPProfile"
Verify the current version of your NetScaler ADC or NetScaler Gateway against the affected builds listed above.
MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of CVE-2026-8451 across supported log sources.
Vulnerability Management customers: Environments are being assessed for vulnerable NetScaler versions of CVE-2026-8451; any findings will be communicated through priority channels.
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604