- June 30, 2026
Multiple High-Severity Vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway (CVE-2026-8451)
On June 30th, 2026, Citrix disclosed a high-severity vulnerability in its NetScaler ADC and NetScaler Gateway products. Tracked as CVE-2026-8451, the flaw lets an unauthenticated, remote attacker leak fragments of appliance memory from a NetScaler configured as a SAML identity provider, placing it in the same class of memory disclosure flaws collectively known as "CitrixBleed."
Executive Summary
On June 30th, 2026, Citrix disclosed a high-severity vulnerability in its NetScaler ADC and NetScaler Gateway products. Tracked as CVE-2026-8451, the flaw lets an unauthenticated, remote attacker leak fragments of appliance memory from a NetScaler configured as a SAML identity provider, placing it in the same class of memory disclosure flaws collectively known as "CitrixBleed."
NetScaler ADC and NetScaler Gateway are internet facing application delivery and VPN appliances that provide load balancing, authentication, and remote access services. Past “CitrixBleed” vulnerabilities have been exploited to leak sensitive data such as account details and credentials that could provide an attacker initial access to affected organizations.
Although active exploitation has not been reported at the time of writing, vulnerabilities in the “CitrixBleed” category have historically been weaponized following disclosure. Beazley Security recommends affected organizations apply available fixes as soon as possible.
Affected Systems or Products
Product | Affected Versions |
NetScaler ADC and NetScaler Gateway 14.1 | before 14.1-72.61 |
NetScaler ADC and NetScaler Gateway 13.1 | before 13.1-63.18 |
NetScaler ADC FIPS 14.1 | before 14.1-72.61 FIPS |
NetScaler ADC FIPS and NDcPP 13.1 | before 13.1-37.272 |
Mitigations / Workarounds
Given rapid weaponization of previous “CitrixBleed” vulnerabilities and potential for memory disclosure to expose sensitive information, Beazley Security strongly recommends patches be applied.
If organizations are unable to apply available fixes, the following steps may help to temporarily reduce risk:
Temporarily disable SAML IdP functionality until updates can be applied.
Limit access of internet-facing NetScaler devices to trusted and administrative networks where possible.
Patches
Cloud-managed NetScaler services have already received updates from the vendor. Citrix has released fixes for customer-managed devices, and additional information can be found in the official Citrix advisory.
Technical Details
CVE-2026-8451 is a pre-authentication memory overread in the SAML identity provider functionality of NetScaler, reachable only when the appliance is configured as a SAML IdP.
SAML authentication starts with a client-supplied base64-encoded XML document to /saml/login, and NetScaler parses that document with a custom XML parser rather than a vetted library. This custom attribute parser has a bug where for unquoted attribute values, it stops reading data only when it reads a null byte, a closing “greater than” symbol, or a matching quote, and it does not treat whitespace or newlines as terminators.
Watchtowr researchers found that the AssertionConsumerServiceURL attribute could be left blank, unterminated, and reordered in the input XML to cause a significant memory overread. More importantly, the exposed memory is sent back to the attacker in the response traffic. Data leaked via this exploit will be returned in the appliance's NSC_TASS response cookie.
This CVE is also somewhat limited compared with previous similar “Citrixbleed” attacks, in that the CVE-2026-8451 overread stops when it finds a control character such as a null byte, resulting in only a few bytes returned per request rather than the kilobytes seen in earlier “CitrixBleed” bugs. Even so, the leaked data can include process pointers, which could be chained with other vulnerabilities to achieve RCE. Additionally, a minimal malformed request to the same endpoint also reliably crashes the appliance, making denial of service trivial. Proof of concept details have been published by WatchTowr.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.