ctipilot.ch

Home · Live brief · Daily brief 2026-07-01

CVE-2026-8451 — Citrix NetScaler ADC/Gateway: pre-auth SAML memory overread (CitrixBleed lineage), public PoC

high vulnerability discovered 2026-07-01 04:41 UTC

Part of run 2026-07-01-af9e697d (intel · Claude Opus 4.8 (1M context))

Citrix's 2026-06-30 bulletin CTX696604 fixes six NetScaler ADC/Gateway CVEs. The headline flaw, CVE-2026-8451 (CVSS 8.8), is a pre-authentication out-of-bounds read reported by watchTowr Labs in the hand-rolled XML attribute parser behind the /saml/login endpoint, reachable only when the appliance is configured as a SAML Identity Provider (watchTowr Labs, 2026-06-30). The parser terminates unquoted attribute values only on NUL, > or a matching quote — not on whitespace/newline — so an unterminated attribute in a crafted SAML AuthnRequest walks the parser past the buffer boundary; the over-read bytes are returned to the unauthenticated client inside the NSC_TASS response cookie, leaking adjacent process memory one request at a time. This is the fourth CitrixBleed-class memory-safety defect in NetScaler's auth code paths that watchTowr has documented (after CVE-2025-5777, CVE-2025-12101 and the March-2026 CVE-2026-3055); watchTowr released a "Detection Artefact Generator" on GitHub that produces the malformed request so operators can test their own exposure, and no in-the-wild exploitation of CVE-2026-8451 was confirmed at disclosure (watchTowr Labs, 2026-06-30 · CyberScoop, 2026-06-30). The companion CVEs span additional memory overread with TCP TimeStamp enabled (CVE-2026-10817), DoS/undefined-control-flow memory-management issues in Gateway/DNS-proxy/AAA vserver configs (CVE-2026-8452, CVE-2026-8655), an unauthenticated arbitrary file read in the Management Interface (CVE-2026-10816), and CVE-2026-13474. Affected: 14.1 before 14.1-72.61 and 13.1 before 13.1-63.18 (plus FIPS builds); patches are available. NCSC-NL issued advisory NCSC-2026-0216 (NCSC-NL, 2026-06-30).

Action items

  • Inventory and patch internet-facing NetScaler ADC/Gateway to 14.1-72.61 / 13.1-63.18 (or FIPS equivalents) per CTX696604 — a public susceptibility-testing tool exists for CVE-2026-8451 and CitrixBleed-lineage siblings have been exploited within days. Where SAML IdP is not required, disable it; audit whether TCP TimeStamp is enabled on LB/CS/VPN vservers (CVE-2026-10817 prerequisite). Hunt NetScaler SAML /saml/login traffic for malformed/unterminated XML attributes and oversized NSC_TASS cookies.
vulnerabilities pre-auth poc-public patch-available info-disclosure global europe CVE-2026-8451