Skip Navigation

July 3, 2026 |

New CitrixBleed-Like Flaw Exploited

Loading table of contents...

At a glance:  Citrix has patched CVE-2026-8451, a high-severity vulnerability affecting NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers (IdPs). The flaw has been described as CitrixBleed-like because it can expose portions of appliance memory to an unauthenticated attacker, similar to earlier CitrixBleed vulnerabilities that were actively exploited. Researchers published technical details on June 30, 2026, and observed scanning and exploitation attempts against internet-facing systems within 24 hours of disclosure.

Threat summary

On June 30, 2026, Citrix addressed multiple flaws, including CVE-2026-8451, a high-severity out-of-bounds read vulnerability affecting NetScaler ADC and NetScaler Gateway appliances configured as Security Assertion Markup Language (SAML) Identity Providers (IdPs). Researchers published technical details on the same day and observed scanning and exploitation attempts targeting internet-facing NetScaler systems within 24 hours of disclosure.

NetScaler Gateway and NetScaler ADC are commonly used to provide remote access, federated authentication, and single sign-on services for enterprise applications. Organizations often expose these services to the internet to allow users to securely access corporate applications from remote locations.

In deployments affected by CVE-2026-8451, the appliances function as SAML IdPs, which authenticate users and provide single sign-on access to business applications. While many organizations use dedicated identity platforms for this purpose, NetScaler is also commonly deployed in this role within enterprise environments.

Researchers have described CVE-2026-8451 as a CitrixBleed-like vulnerability because it allows unauthenticated disclosure of NetScaler memory through an out-of-bounds read condition. Previous CitrixBleed vulnerabilities exposed sensitive information from appliance memory and were widely exploited following public disclosure. CVE-2026-8451 exists in NetScaler's XML parser, the component that processes SAML authentication data. A specially crafted request can cause NetScaler to read beyond the intended data and return portions of its memory to an unauthenticated threat actor.

Citrix assigned CVE-2026-8451 a CVSS score of 8.8 and rated it with high severity. Exploitation does not require authentication, but the affected appliance must be configured as a SAML IdP. A remote adversary can retrieve portions of process memory by sending specially crafted SAML requests.

The following supported NetScaler versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-63.18
  • NetScaler ADC FIPS before 14.1-72.61 FIPS
  • NetScaler ADC FIPS and NDcPP before 13.1-37.272

Secure Private Access Hybrid deployments using affected NetScaler instances are also vulnerable and should be upgraded to the recommended builds. Only customer-managed NetScaler ADC and NetScaler Gateway deployments need the updates to be applied. Citrix-managed cloud services and Citrix-managed Adaptive Authentication services are maintained by Cloud Software Group, which applies the required security updates on behalf of customers.


Analysis

NetScaler devices are attractive targets because they are commonly exposed to the internet and frequently used for remote access and authentication services. Organizations using NetScaler ADC or NetScaler Gateway in the affected configuration should prioritize patching internet-facing systems, as researchers observed scanning and exploitation attempts shortly after disclosure.

Researchers demonstrated that CVE-2026-8451 can disclose unintended memory contents from a vulnerable device. However, public reporting has not confirmed exposure of credentials, session tokens, cryptographic keys, or other specific data types. The impact depends on what information is present in memory when the vulnerability is exploited.

Organizations are advised to:

  • Determine whether any NetScaler ADC or NetScaler Gateway appliances are configured as SAML IdPs.
  • Verify that those systems are not running affected NetScaler versions.
  • Determine whether affected systems are accessible from the internet.
  • Prioritize remediation of internet-facing systems, as researchers observed scanning and exploitation attempts shortly after disclosure.
  • Upgrade affected appliances to Citrix's fixed versions released on June 30, 2026.

 

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up