Back to Feed
VulnerabilitiesJul 1, 2026

Citrix Patches NetScaler Vulnerabilities, Including New ‘HTTP/2 Bomb’ Attack

Citrix patches six NetScaler vulnerabilities, including HTTP/2 Bomb and a CitrixBleed-style flaw.

Summary

Citrix has released security updates for its NetScaler ADC and Gateway products, addressing six vulnerabilities. Among the patched issues are the HTTP/2 Bomb denial-of-service exploit and a high-severity information disclosure bug similar to CitrixBleed, which could allow attackers to leak sensitive memory data. The company urges customers to apply the patches promptly, noting that specific configurations are required for exploitation.

Full text

Citrix on Tuesday announced fresh NetScaler ADC and NetScaler Gateway security updates that resolve six vulnerabilities, including the recent HTTP/2 Bomb flaw. Four of the issues, tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, and CVE-2026-10816, are high-severity out-of-bounds read, memory overflow, and arbitrary file read bugs. Tracked as CVE-2026-10816, the fifth is a medium-severity out-of-bounds read, while the sixth is HTTP/2 Bomb, a denial-of-service (DoS) exploit targeting Apache HTTP Server. Tracked as CVE-2026-49975 and discovered using OpenAI’s Codex, HTTP/2 Bomb combines previously known attack techniques to knock web servers offline. Citrix assigned it a separate NetScaler-specific CVE identifier, CVE-2026-13474. All these weaknesses were addressed in NetScaler ADC and NetScaler Gateway versions 14.1-72.61 and 13.1-63.18, NetScaler ADC FIPS version 14.1-72.61 FIPS, and in NetScaler ADC FIPS and NDcPP version 13.1-37.272. Citrix points out that each vulnerability has different configuration-specific preconditions and that customers should evaluate if their deployments have the vulnerable features enabled.Advertisement. Scroll to continue reading. According to attack surface management firm watchTowr, Citrix customers should pay attention to CVE-2026-8451 (CVSS score of 8.8), saying it is the latest in the CitrixBleed series of security defects. The company explains that the bug impacts NetScaler’s XML parser, which reads beyond the intended bounds of each XML attribute value, and that NetScaler can be tricked into returning restricted memory in an HTTP response. The successful exploitation of the vulnerability, however, requires that the NetScaler instance is configured as SAML IDP, and that the attacker’s login request satisfies specific conditions. According to watchTowr, an attacker could exploit this security defect to leak data from a vulnerable appliance, including a data pointer that, when combined with a memory corruption issue, could lead to full device compromise. Organizations with self-managed NetScaler ADC, NetScaler Gateway, and Citrix Secure Private Access Hybrid deployments using NetScaler instances are advised to apply the fresh patches as soon as possible. Related: Google Patches 382 Chrome Vulnerabilities Related: Decades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks Related: Exploitation of Recent Oracle E-Business Suite Vulnerability Begins Related: Critical SimpleHelp Vulnerability Exploited for Malware Delivery Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Aflac Japan Data Breach Impacts 4.38 MillionExploitation of Recent Oracle E-Business Suite Vulnerability BeginsCritical SimpleHelp Vulnerability Exploited for Malware DeliveryQuantifind Raises $200 Million for AI-Native Risk IntelligenceResearchers Demo New Claude Code Attack Using Harmless-Looking Repositories to Hijack Developer MachinesStraiker Raises $64 Million for AI Security Platform‘DirtyClone’ Linux Kernel Vulnerability Leads to Root AccessUS Offers $10 Million Bounty for Russian State Hackers as Messaging App Attacks Evolve Latest News Adobe Patches Critical ColdFusion, Campaign Classic VulnerabilitiesFrontier AI: Six Questions Every Enterprise Should Ask Security VendorsApple Patches Dozens of Vulnerabilities Across iOS, macOS, and SafariDawnguard Raises $6.3 Million for Security Architecture Automation PlatformMassive Password Spray Campaign Targeting Azure CLIGoogle Patches 382 Chrome VulnerabilitiesBlueHammer Vulnerability Exploited in Ransomware AttacksDecades-Old Bash Tricks Expose AI Coding Agents to Supply Chain Attacks Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveTracey Mustacchio has joined Everfox as Chief Marketing Officer.Mark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.More People On The MoveExpert Insights Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • cve — CVE-2026-8451
  • cve — CVE-2026-8452
  • cve — CVE-2026-8655
  • cve — CVE-2026-10816
  • cve — CVE-2026-13474

Entities

NetScaler ADC (product)NetScaler Gateway (product)Citrix (vendor)HTTP/2 (technology)Apache HTTP Server (technology)OpenAI Codex (product)