Network gateways again found a weak point in working with memory, and this time the error allowed you to remotely receive data before logging in. Citrix revealed the vulnerability CVE-2026-8451 NetScaler ADC and NetScaler Gateway, which watchTown found in March 2026.
The problem that received a score of 7.5 on the CVSS 3.1 scale (AV:N/AC:L/C:N/C/N:N/A:N) (AV:N) accounted for devices configured as a SAML server for a single input. NetScaler misrepresented specially prepared XML queries and continued reading after the end of the value transmitted. The server captured the neighboring areas of memory and returned them to the NSC_TASS attacker.
During laboratory tests, WatchTowr Labs experts receivedполучили several bytes of arbitrary data from the memory of the process. The volume of the leak was less than that of some past mistakes of the CitrixBleed family, as the reading interrupted the control symbols. Experts also saw a meaning similar to a memory pointer. Combined with another vulnerability, such a leak could help with a more complex attack.
A separate incorrect SAMLSAML-request caused a failure of the nsppe process and could disrupt the operation of the device. The publication WatchTowr describes only a test demonstration, there is no information about real attacks using CVE-2026-8451 in it.
Citrix released the Corrections on June 30. The vulnerability is closed in NetScaler ADC and NetScaler Gateway 14.1-72.61 and 13.1-63.18, as well as in FIPS 14.1-72.61 and 13.1-37.272. Administrators are advised to update vulnerable systems to these or newer versions.
The problem that received a score of 7.5 on the CVSS 3.1 scale (AV:N/AC:L/C:N/C/N:N/A:N) (AV:N) accounted for devices configured as a SAML server for a single input. NetScaler misrepresented specially prepared XML queries and continued reading after the end of the value transmitted. The server captured the neighboring areas of memory and returned them to the NSC_TASS attacker.
During laboratory tests, WatchTowr Labs experts receivedполучили several bytes of arbitrary data from the memory of the process. The volume of the leak was less than that of some past mistakes of the CitrixBleed family, as the reading interrupted the control symbols. Experts also saw a meaning similar to a memory pointer. Combined with another vulnerability, such a leak could help with a more complex attack.
A separate incorrect SAMLSAML-request caused a failure of the nsppe process and could disrupt the operation of the device. The publication WatchTowr describes only a test demonstration, there is no information about real attacks using CVE-2026-8451 in it.
Citrix released the Corrections on June 30. The vulnerability is closed in NetScaler ADC and NetScaler Gateway 14.1-72.61 and 13.1-63.18, as well as in FIPS 14.1-72.61 and 13.1-37.272. Administrators are advised to update vulnerable systems to these or newer versions.