Back to Feed
VulnerabilitiesJul 1, 2026

Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service

Citrix patches six NetScaler flaws allowing file read and denial-of-service.

Summary

Citrix has released security updates to address six vulnerabilities in its NetScaler ADC and NetScaler Gateway products. These flaws could allow attackers to perform arbitrary file reads or cause denial-of-service conditions. The vulnerabilities range in severity, with several having high CVSS scores, and affect various configurations of the NetScaler appliances.

Full text

Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service Ravie LakshmananJul 01, 2026Vulnerability / Enterprise Security Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP CVE-2026-8452 (CVSS score: 8.8) - A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server CVE-2026-8655 (CVSS score: 8.8) - Multiple memory overflow vulnerabilities leading to unpredictable or erroneous behavior and denial-of-service when NetScaler ADC is configured as an LB of type Oracle, a DNS Proxy, or a DNS recursive resolver deployment CVE-2026-10816 (CVSS score: 7.7) - An external control of the file name of the path vulnerability leading to unauthenticated, arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled CVE-2026-10817 (CVSS score: 6.9) - An insufficient input validation vulnerability leading to memory overread when TCP TimeStamp is enabled in TCP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler CVE-2026-13474 (CVSS score: 8.7) - A missing release of memory after effective lifetime vulnerability leading to denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in the HTTP Profile and associated with the virtual server (of type LB, CS, VPN) or the service configured on NetScaler Patches for the security defects have been released in the following versions - NetScaler ADC and NetScaler Gateway 14.1-72.61 and later releases NetScaler ADC and NetScaler Gateway 13.1-63.18 and later releases of 13.1 NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS and later releases of 14.1-FIPS NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.272 and later releases of 13.1-FIPS and 13.1-NDcPP As for CVE-2026-13474, customers are also advised to update their configurations by modifying the Http2SmallWndTimeout parameter, which controls the timeout (in seconds) for HTTP/2 small‑window stalled streams - For appliances using HTTP Strict Profiles, this parameter defaults to 30 seconds. The fix is effective immediately after the upgrade. For appliances NOT using HTTP Strict Profiles, the default value is 0. In this case, merely upgrading to the builds containing the fix will not address the vulnerability completely. Customers must manually set Http2SmallWndTimeout to 30 seconds. The command to set this parameter is below - set ns httpProfile <profile_name> -http2SmallWndTimeout <value_in_seconds> Cisco credited Michael Tucker from the XOR team at JPMorgan Chase, Aliz Hammond of watchTowr, and Maxim Suhanov for reporting the vulnerabilities. There is no evidence that the issues have been exploited in the wild. watchTowr Labs, in a technical write-up released alongside Citrix's bulletin, said CVE-2026-8451 was discovered and reported in late March 2026 after attempts to reproduce CVE-2026-3055 (CVSS score: 9.3), a separate insufficient input validation flaw that was disclosed earlier this year. The cybersecurity company said the vulnerability stems from how NetScaler parses SAML authentication requests and shares the same root cause as the March 2026 flaw, resulting in out-of-bounds memory reads when sending malformed SAML requests. "One thing we're keen to note: in contrast to the original CVE-2026-3055, in which kilobytes of binary data can be leaked, this overread will terminate the out-of-bounds read when various control characters are read, such as NULL (or even >)," security researcher Hammond said. "In practice, we found that by varying the request length, we could consistently squeeze a few bytes out of the server." "However, what should be of concern is the bigger picture - the trend, which is very clearly suggesting that memory management continues to appear fragile within Citrix NetScaler appliances, to the extent that even accidentally misconfiguring an appliance can lead to the disclosure of leaked memory." In recent years, Citrix appliances have been a lucrative attack target, with multiple flaws in its software exploited by threat actors for ransomware deployment in the past, making it crucial that users apply the patches for optimal protection. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Citrix, denial of service, HTTP/2, NetScaler, Vulnerability ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

  • cve — CVE-2026-8451
  • cve — CVE-2026-8452
  • cve — CVE-2026-8655
  • cve — CVE-2026-10816
  • cve — CVE-2026-10817
  • cve — CVE-2026-13474

Entities

NetScaler ADC (product)NetScaler Gateway (product)Citrix (vendor)SAML IDP (product)