Citrix's internet-facing NetScaler appliances have a new pre-authentication memory leak. When an appliance is set up as a SAML identity provider, a malformed login request makes it hand back fragments of its own memory. It is smaller than the original CitrixBleed, but it sits on the same devices that guard remote access into hospitals, utilities, and plant networks, and within days of disclosure it moved from proof-of-concept to active exploitation in the wild.
NetScaler ADC and NetScaler Gateway, formerly branded Citrix ADC, are internet-facing application-delivery and VPN appliances. They sit at the network edge and provide load balancing, authentication, single sign-on, and remote access. In many organizations the NetScaler is the front door: the box that terminates the VPN, brokers logins, and decides who gets to reach internal applications. One common deployment mode makes the appliance a SAML identity provider, so it issues the assertions other applications trust for single sign-on. CVE-2026-8451 lives in that SAML identity-provider code, and it is only reachable when that mode is configured.
watchTowr found the flaw in late March while reproducing a separate NetScaler bug, CVE-2026-3055, that Citrix had disclosed earlier in the year and that CISA added to its Known Exploited Vulnerabilities catalog after active exploitation was confirmed within days. The two share a root cause: out-of-bounds memory reads triggered by malformed SAML requests to the appliance's authentication endpoints. As the researchers put it, memory management "continues to appear fragile" in these appliances, to the point that even a misconfiguration can leak memory.
A SAML login to NetScaler begins with a client-supplied, base64-encoded XML document sent to the /saml/login endpoint. Rather than parse that XML with a hardened, well-tested library, the appliance uses a custom parser, and that is where the bug lives. When the parser reads an unquoted attribute value, it only stops when it hits a null byte, a closing >, or a matching quote. Critically, it does not treat whitespace or newlines as terminators, so a value that is left open simply keeps consuming whatever bytes come next in memory.
watchTowr showed that the AssertionConsumerServiceURL attribute could be left blank, left unterminated, and reordered within the input so that the parser runs off the end of the intended data and reads adjacent process memory. The appliance then does the truly unfortunate part: it reflects that over-read memory back to the attacker, returned inside the appliance's NSC_TASS response cookie. The attacker sends a crafted login and reads leaked memory out of the reply.
The appliance reads past the end of the attacker's own input, then hands the leftover memory back in its response. No credentials, no session, just a malformed login and whatever was sitting next in RAM.
Two honest limits keep this from being a carbon copy of the 2023 CitrixBleed. First, the over-read stops at the next control character, such as a null byte, so each request typically returns only a few bytes rather than the kilobytes the original leaked. Second, extracting anything useful takes many requests. But small and repeatable still matters, because the leaked fragments can include process pointers, and pointer leaks are precisely what an attacker needs to defeat address-space layout randomization and chain a memory-disclosure bug toward remote code execution. And there is a blunt second option: watchTowr notes that a minimal malformed request to the same endpoint reliably crashes the appliance, which turns this into a trivial, unauthenticated denial of service against the box that guards remote access.
We want to be precise about scope. NetScaler is IT infrastructure, not an industrial control system, and CVE-2026-8451 is not an ICS advisory. We are flagging it under our operational-technology and critical-infrastructure watch for a specific and, we think, defensible reason: NetScaler ADC and Gateway are among the internet-facing edge appliances that most often bridge into those environments. In hospitals, utilities, water systems, and manufacturers, the Citrix front door is frequently the remote-access and single-sign-on chokepoint that stands between the public internet and the internal network, including the IT-to-OT boundary. A weakness in that box is a weakness in the perimeter that protects everything behind it.
The class history is the reason to take it seriously. The original CitrixBleed, CVE-2023-4966, leaked session tokens that let attackers hijack authenticated sessions and skip multi-factor authentication, and it was weaponized quickly and broadly, including by ransomware crews against hospitals and other critical organizations. Citrix's NetScaler line has accumulated more than twenty entries in CISA's KEV catalog over the past three years, several of them tied to ransomware. CVE-2026-8451 leaks less per request than the 2023 bug, so we are not claiming it is the same caliber of session-stealing skeleton key. We are saying it belongs to a family with a long record of fast weaponization, on a device that sits exactly where a foothold does the most damage.
We run a fleet of honeypots and edge decoys, and unlike some of the cloud-side issues we cover, this one is squarely in our lane. The vulnerability is reached by sending network traffic to an internet-facing appliance, which is exactly what our decoys are built to emulate and observe.
The observable footprint is concrete. An attacker probing for CVE-2026-8451 has to reach the SAML endpoint, so we would expect to see requests to /saml/login carrying base64-encoded SAML payloads, malformed or truncated XML in those payloads, and replies where the NSC_TASS cookie is being harvested. Scanning for NetScaler devices with SAML identity-provider mode enabled is a natural precursor, and the DoS variant, a minimal malformed request that crashes the service, has its own noisy signature. A decoy that presents as a NetScaler-style edge appliance is well placed to catch reconnaissance and early exploitation of this bug.
The primary fix is to patch to the corrected builds. Citrix disclosed the issue on June 30, 2026 in bulletin CTX696604 and released fixed versions; cloud-managed NetScaler services were updated by the vendor. Because this is a CitrixBleed-class flaw, treat patching as necessary but not automatically sufficient: consistent with guidance from prior NetScaler incidents, an appliance you believe may have been probed should have its secrets rotated and its active sessions terminated after updating, since a patch does not retroactively invalidate anything an attacker may already have pulled from memory.
14.1-72.61 or later · 13.1-63.18 or later · FIPS 13.1-37.272 or later| Type | Detail |
|---|---|
| CVE | CVE-2026-8451, out-of-bounds read (CitrixBleed class), CVSS 8.8 High |
| Product | NetScaler ADC and NetScaler Gateway, when configured as a SAML identity provider |
| Vector | Malformed SAML request to /saml/login; leaked memory returned in the NSC_TASS response cookie |
| Affected | 14.1 < 14.1-72.61, 13.1 < 13.1-63.18, FIPS 14.1 < 14.1-72.61 FIPS, FIPS/NDcPP 13.1 < 13.1-37.272 |
| Fixed | 14.1-72.61, 13.1-63.18, FIPS 13.1-37.272; cloud-managed services updated by vendor (Citrix CTX696604) |
| Related | CVE-2026-3055, shared root cause, added to CISA KEV earlier in 2026 after active exploitation |
| Public PoC | watchTowr published exploit details 2026-06-30; a public PoC repository was created 2026-07-04 (independent PoC-in-GitHub gate) |
| Exploitation | Under active exploitation in the wild from ~July 2, 2026 (CrowdSec and other threat-intel vendors); dozens of attacking IPs within days. Not on CISA KEV as of this writing |