Skip to content

Citrix NetScaler: New Memory-Leak Vulnerability CVE-2026-8451 Under Active Exploitation

The bottom line: A new Citrix NetScaler vulnerability (CVE-2026-8451) enables unauthenticated data leaks from process memory and is being actively exploited.

Citrix has patched a new memory-overread vulnerability in NetScaler appliances, CVE-2026-8451. Less than 24 hours after the patch was released, exploitation attempts were already observed in the wild.

The vulnerability CVE-2026-8451, discovered by security researchers at watchTowr, is part of the CitrixBleed variant series: it enables leaking protected process memory data through flawed unauthenticated requests. Citrix classified it as highly critical with a CVSS score of 8.8. Unlike its predecessors (CVE-2023-4966, CVE-2025-5777, CVE-2026-3055), CVE-2026-8451 allows only smaller amounts of data to be extracted – to date, no session IDs have been observed.

Exploitation requires the NetScaler appliance to be configured as a SAML identity provider. This is the same condition as CitrixBleed 3, which was patched in March and subsequently used in active attacks. According to security firm Lupovis, CVE-2026-8451 was targeted within 24 hours after the patch: three separate sensors were attacked in a five-hour window; on the third sensor a successful response (HTTP 200) was received, after which the attacker immediately delivered the exploit payload.

Although the proof-of-concept leaked only individual bytes – significantly less than the kilobytes seen in previous CitrixBleed cases – the leaked information is valuable to attackers. Repeated requests could ultimately expose sensitive data. More critically: the leak can reveal process memory pointers that help attackers place payloads via other vulnerabilities such as buffer overflows, thereby circumventing anti-exploit mechanisms like ASLR and gaining full control of the device.

In the same patch cycle, Citrix fixed additional flaws: two high-severity memory overflow vulnerabilities (CVE-2026-8452, CVE-2026-8655), an unauthenticated arbitrary file read (CVE-2026-10816), another out-of-bounds memory overread (CVE-2026-10817), and a denial-of-service via HTTP/2 (CVE-2026-13474), a NetScaler instance of the HTTP/2 bomb attack (CVE-2026-49975).

For NetScaler ADC and NetScaler Gateway, organisations should update to versions 14.1-72.61, 13.1-63.18, or 13.1-37.272. WatchTowr has also released a Python detection script for CVE-2026-8451 to quickly test whether appliances are vulnerable.


Source: www.csoonline.com · Published 3 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: