Home · Briefs · CTI Daily Brief — 2026-07-01
CVE-2026-8451 — Citrix NetScaler ADC/Gateway: pre-auth SAML memory overread (CitrixBleed lineage), public PoC
From CTI Daily Brief — 2026-07-01 · published 2026-07-01
Citrix's 2026-06-30 bulletin CTX696604 fixes six NetScaler ADC/Gateway CVEs. The headline flaw, CVE-2026-8451 (CVSS 8.8), is a pre-authentication out-of-bounds read reported by watchTowr Labs in the hand-rolled XML attribute parser behind the /saml/login endpoint, reachable only when the appliance is configured as a SAML Identity Provider (watchTowr Labs, 2026-06-30). The parser terminates unquoted attribute values only on NUL, > or a matching quote — not on whitespace/newline — so an unterminated attribute in a crafted SAML AuthnRequest walks the parser past the buffer boundary; the over-read bytes are returned to the unauthenticated client inside the NSC_TASS response cookie, leaking adjacent process memory one request at a time. This is the fourth CitrixBleed-class memory-safety defect in NetScaler's auth code paths that watchTowr has documented (after CVE-2025-5777, CVE-2025-12101 and the March-2026 CVE-2026-3055); watchTowr released a "Detection Artefact Generator" on GitHub that produces the malformed request so operators can test their own exposure, and no in-the-wild exploitation of CVE-2026-8451 was confirmed at disclosure (watchTowr Labs, 2026-06-30 · CyberScoop, 2026-06-30). The companion CVEs span additional memory overread with TCP TimeStamp enabled (CVE-2026-10817), DoS/undefined-control-flow memory-management issues in Gateway/DNS-proxy/AAA vserver configs (CVE-2026-8452, CVE-2026-8655), an unauthenticated arbitrary file read in the Management Interface (CVE-2026-10816), and CVE-2026-13474. Affected: 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18 (plus FIPS builds); patches are available. NCSC-NL issued advisory NCSC-2026-0216 (NCSC-NL, 2026-06-30).