A newly disclosed flaw in Citrix NetScaler, the application delivery and VPN gateway appliances that guard remote access for thousands of large enterprises, can let an unauthenticated attacker read fragments of the device's live memory. Researchers at watchTowr, who reported the bug to Citrix in March 2026, detailed it publicly this week after Citrix shipped a fix.
Tracked as CVE-2026-8451 and described by Citrix as "insufficient input validation leading to memory overread," the issue carries a CVSS score of 8.8. It is the latest entry in what researchers now call the CitrixBleed class, a recurring family of memory disclosure bugs in NetScaler that has repeatedly turned up in real intrusions.
What's affected
The flaw is only exploitable when a NetScaler appliance is configured as a SAML identity provider (IdP), a common single sign-on role. Citrix lists the following as vulnerable:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-63.18
- NetScaler ADC FIPS before 14.1-72.61 FIPS
- NetScaler ADC FIPS and NDcPP before 13.1-37.272
How the attack works
NetScaler kicks off SAML logins at the /saml/login endpoint, where a client submits a base64 encoded XML document. According to watchTowr, Citrix parses that XML with hand written code rather than a vetted library, and a bug in how it reads attribute values lets an attacker trick the appliance into copying back more memory than it should. In plain terms, the login request can return a slice of whatever data happens to sit nearby in memory, which on an internet facing gateway can include session tokens and other secrets an attacker could reuse to hijack authenticated sessions.
That is the same pattern behind the original CitrixBleed and its successors, including CVE-2025-5777, which was abused in the wild against telecom networks (see our coverage of Salt Typhoon's NetScaler exploitation). watchTowr says it found the new issue while reproducing an earlier NetScaler memory bug, and warns that memory management across these appliances looks endemically fragile.
What you should do
Citrix has released fixed builds, and administrators should upgrade affected NetScaler ADC and Gateway appliances to 14.1-72.61, 13.1-63.18, or the corresponding FIPS releases without delay. Organizations that cannot patch immediately should review whether their appliances are configured as SAML IdPs, since the flaw is not reachable otherwise, and treat exposed gateways as a priority given the CitrixBleed family's track record in breaches.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.