A new high-severity vulnerability, CVE-2026-8451, affecting NetScaler ADC and NetScaler Gateway appliances is under active exploitation. The flaw, which is being compared to the infamous CitrixBleed vulnerability, is an out-of-bounds read issue that can disclose sensitive information from the device's memory. With a CVSS score of 8.8 (High), the vulnerability was weaponized by threat actors less than 24 hours after its public disclosure on June 30, 2026. The rapid exploitation was fueled by the simultaneous release of patches by Citrix and a detailed technical write-up and proof-of-concept (PoC) by security firm watchTowr. Organizations using affected NetScaler appliances configured as a SAML identity provider (IDP) are urged to apply the patches immediately.
CVE-2026-8451 is an out-of-bounds read vulnerability that exists in the XML parser of NetScaler appliances. The flaw is triggered when the device is configured as a Security Assertion Markup Language (SAML) identity provider (IDP). Specifically, the parser incorrectly handles unquoted XML attribute values that are followed by a newline character. This causes the parser to read beyond the intended memory buffer.
An unauthenticated attacker can send a specially crafted request to a vulnerable appliance. In response, the device will return contents of its memory within the NSC_TASS cookie in an HTTP response. This leaked memory can contain sensitive information such as session cookies, credentials, and other confidential data, which could then be used to hijack legitimate user sessions and gain unauthorized access to the network.
The vulnerability affects the following products when they are configured as a SAML IDP:
Citrix has released patches to address this vulnerability, and administrators should consult the official Citrix security bulletin for the specific patched versions.
According to security firm Lupovis, scanning and exploitation activity began almost immediately after the vulnerability details were made public. The first scans were observed originating from an IP address in Frankfurt, Germany. The attackers appeared to be using a detection script based on the PoC released by watchTowr. The extremely short time between disclosure and exploitation (less than 24 hours) underscores a trend where threat actors have automated pipelines to monitor vulnerability disclosures, develop exploits, and launch attacks at scale.
The impact of exploiting CVE-2026-8451 can be severe:
The vulnerability's resemblance to CitrixBleed (CVE-2023-4966) is particularly concerning, as that flaw was widely exploited by ransomware groups and other threat actors to cause significant damage.
Security teams should hunt for the following patterns to identify exploitation attempts:
+/saml/loginNSC_TASS cookie in responseNSC_TASS cookie being returned in an HTTP response from the NetScaler device, as it contains the leaked memory content.NSC_TASS cookie that exceeds a normal size threshold. This aligns with D3FEND's Network Traffic Analysis.Applying the vendor-supplied patch is the most critical and effective mitigation.
Use network security monitoring to detect and alert on the specific signatures of the exploit, such as an abnormally large cookie in the HTTP response.
As a temporary measure, restricting access to the vulnerable SAML endpoint from untrusted networks can reduce the attack surface.
Given the active, widespread exploitation of CVE-2026-8451, immediate patching of all affected NetScaler ADC and Gateway appliances is the highest priority. This should be treated as an emergency change, bypassing normal change windows. The rapid weaponization of this flaw means any unpatched, internet-facing device is at extreme risk. After applying the patch, it is equally critical to terminate all active sessions on the appliance to invalidate any session tokens that may have already been stolen by attackers.
Implement a specific detection rule in your Network Intrusion Detection System (NIDS) or SIEM to hunt for exploitation of CVE-2026-8451. The rule should monitor HTTP/S responses from your NetScaler appliances and trigger a high-priority alert if the Set-Cookie header contains an NSC_TASS cookie with a value larger than a baseline threshold (e.g., > 4KB). This is a high-confidence indicator of a successful memory leak. This allows for the rapid identification of compromised or targeted appliances, enabling incident response to begin immediately.
After patching the NetScaler appliance, it is imperative to perform a comprehensive invalidation of all authentication tokens and sessions. This involves not only terminating all sessions on the NetScaler device itself but also coordinating with downstream application owners to force re-authentication for all users. This step is crucial because the primary risk of CVE-2026-8451 is session hijacking. Without invalidating stolen tokens, an attacker can maintain access to internal applications even after the NetScaler is patched.
Citrix discloses CVE-2026-8451 and releases patches. watchTowr simultaneously publishes a technical PoC.
Lupovis reports observing active scanning and exploitation of the vulnerability, less than 24 hours after disclosure.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.