Citrix Fixes Six NetScaler Flaws That Can Allow File Read and DoS Attacks


Citrix has released security updates for six NetScaler ADC and NetScaler Gateway vulnerabilities that can expose appliances to memory overread, arbitrary file read, and denial-of-service attacks.

The company published the NetScaler security bulletin on June 30, 2026. The flaws affect customer-managed NetScaler ADC and NetScaler Gateway deployments, including FIPS and NDcPP builds.

Administrators should treat the update as urgent, especially for internet-facing appliances. NetScaler devices often sit at the edge of enterprise networks, where they handle remote access, authentication, load balancing, and application delivery.

Six NetScaler vulnerabilities were patched

The patched issues are tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474.

The Canadian Centre for Cyber Security also issued a Citrix security advisory on June 30, 2026, urging users and administrators to review Citrixโ€™s guidance and apply the updates.

Citrix says it has no evidence that attackers have exploited these specific vulnerabilities in the wild. Even so, defenders should not delay because NetScaler appliances have repeatedly attracted attackers after past high-profile disclosures.

CVECVSS scoreMain issueRequired configuration
CVE-2026-84518.8Memory overreadNetScaler configured as a SAML Identity Provider
CVE-2026-84528.8Memory overflow and denial of serviceGateway or AAA virtual server
CVE-2026-86558.8Multiple memory overflow issues and denial of serviceOracle load balancing, DNS proxy, or DNS recursive resolver deployment
CVE-2026-108167.7Unauthenticated arbitrary file readManagement access enabled through NSIP, Cluster Management IP, or SNIP
CVE-2026-108176.9Memory overreadTCP TimeStamp enabled in an attached TCP profile
CVE-2026-134748.7Denial of service through malformed HTTP/2 requestsHTTP/2 enabled in an attached HTTP profile

CVE-2026-8451 affects SAML IdP deployments

CVE-2026-8451 is one of the most important flaws in the bulletin because it affects NetScaler appliances configured as SAML Identity Providers.

Security researchers at watchTowr Labs analyzed the flaw and said it comes from how NetScaler parses malformed SAML authentication requests.

The researchers said the issue shares the same broad root cause as earlier NetScaler SAML memory overread bugs. In practice, their testing showed that attackers could leak small amounts of memory by varying malformed request lengths.

Why memory overread bugs matter

A memory overread flaw can expose data that the appliance should never return to a remote user. The exact data can vary, but edge identity systems often handle sensitive authentication material.

watchTowr said this new issue appears more limited than some previous NetScaler memory disclosure bugs because the leak stops when certain control characters appear. That still leaves concern because even small leaks can help attackers when paired with another flaw.

The bigger risk comes from the appliance role. Many organizations use NetScaler as a gateway or identity control point, so a bug on the appliance can affect remote access, session handling, and internal application exposure.

File read risk centers on management access

CVE-2026-10816 can allow unauthenticated arbitrary file read when management access is available through NSIP, Cluster Management IP, or SNIP.

This makes management-plane exposure a major concern. Administrators should confirm that management interfaces do not face the public internet and that only trusted administrative networks can reach them.

Even after patching, teams should review access rules around NSIP, Cluster Management IP, and SNIP with management access. A patched appliance still benefits from a smaller management attack surface.

Several flaws can trigger denial of service

CVE-2026-8452, CVE-2026-8655, and CVE-2026-13474 can cause denial-of-service conditions under specific configurations.

CVE-2026-8452 affects appliances configured as a Gateway or AAA virtual server. CVE-2026-8655 affects certain Oracle load balancing, DNS proxy, DNS over HTTPS, DNS over TLS, or recursive resolver configurations.

CVE-2026-13474 involves malformed HTTP/2 requests when HTTP/2 is enabled in an attached HTTP profile. This flaw needs extra attention because some customers must change a profile setting after upgrading.

Product branchFixed release
NetScaler ADC and NetScaler Gateway 14.114.1-72.61 and later
NetScaler ADC and NetScaler Gateway 13.113.1-63.18 and later releases of 13.1
NetScaler ADC 14.1-FIPS14.1-72.61 FIPS and later releases of 14.1-FIPS
NetScaler ADC 13.1-FIPS and 13.1-NDcPP13.1-37.272 and later releases of 13.1-FIPS and 13.1-NDcPP

CVE-2026-13474 may require a manual HTTP/2 change

Citrix says customers must review the Http2SmallWndTimeout parameter for CVE-2026-13474. This setting controls the timeout for HTTP/2 small-window stalled streams.

For appliances using HTTP Strict Profiles, the parameter defaults to 30 seconds after the upgrade. For appliances that do not use HTTP Strict Profiles, the default value remains 0.

That matters because a value of 0 can leave the issue only partly addressed. Customers using non-strict HTTP profiles must manually set Http2SmallWndTimeout to 30 seconds after upgrading to a fixed build.

set ns httpProfile <profile_name> -http2SmallWndTimeout 30

How to check whether an appliance meets the preconditions

The Citrix bulletin includes configuration strings that customers can inspect to identify exposed roles and profiles.

For CVE-2026-8451, administrators should look for SAML IdP profile configuration. For CVE-2026-8452, they should check for Gateway or AAA virtual servers.

For CVE-2026-13474, teams should identify HTTP profiles with HTTP/2 enabled, then map those profiles to LB, CS, and VPN virtual servers or services.

  • Check for SAML IdP profiles with add authentication samlIdPProfile.
  • Check Gateway and AAA virtual servers with add vpn vserver and add authentication vserver.
  • Review Oracle and DNS load-balancing configurations.
  • Search TCP profiles for TimeStamp ENABLED.
  • Identify HTTP profiles with HTTP/2 enabled.
  • Confirm whether non-strict HTTP profiles need Http2SmallWndTimeout set to 30 seconds.
  • Restrict management access to trusted administrative networks only.

The new SAML memory overread issue follows earlier NetScaler memory disclosure vulnerabilities, including CVE-2026-3055 from March 2026.

watchTowrโ€™s technical write-up says CVE-2026-8451 emerged while the researchers tried to reproduce and analyze earlier NetScaler SAML parsing flaws.

The researchers raised a broader concern about fragile memory handling in NetScaler appliances. Their point matters because attackers have historically moved quickly against edge devices once technical details become public.

No exploitation reported, but patching should not wait

Citrix says it has no evidence of exploitation for these six issues. That gives administrators a chance to patch before widespread probing begins.

However, NetScaler appliances have served as attractive targets for ransomware groups and espionage actors in past campaigns. Edge devices that handle authentication often give attackers a valuable position if they find a way in.

The Canadian Cyber Centre advisory lists the affected product versions and encourages administrators to apply the necessary updates.

What NetScaler administrators should do now

Administrators should first identify all customer-managed NetScaler ADC and NetScaler Gateway appliances, including test systems, disaster recovery systems, and appliances behind load balancers.

Next, they should upgrade to the fixed build for the relevant branch. After that, they should review configuration preconditions, especially SAML IdP, Gateway, AAA, DNS, TCP TimeStamp, HTTP/2, and management access settings.

For CVE-2026-13474, teams should not assume the firmware upgrade alone completes remediation. They must verify the HTTP profile setting and manually configure Http2SmallWndTimeout where required.

PriorityActionReason
1Upgrade to the fixed NetScaler buildCloses the patched vulnerabilities
2Set Http2SmallWndTimeout to 30 seconds where neededCompletes remediation for CVE-2026-13474 on non-strict HTTP profiles
3Restrict management accessReduces exposure for file-read and management-plane risks
4Review SAML, Gateway, AAA, DNS, TCP, and HTTP/2 profilesConfirms whether preconditions apply
5Monitor logs for malformed SAML, HTTP/2, DNS, and management requestsHelps spot testing or early exploitation attempts

FAQ

What did Citrix patch in NetScaler ADC and NetScaler Gateway?

Citrix patched six vulnerabilities in NetScaler ADC and NetScaler Gateway. The flaws can lead to memory overread, arbitrary file read, unpredictable behavior, or denial-of-service attacks under specific configurations.

Which NetScaler versions fix the vulnerabilities?

Fixed versions include NetScaler ADC and NetScaler Gateway 14.1-72.61 or later, 13.1-63.18 or later, NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS or later, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.272 or later.

Has Citrix seen exploitation of these six NetScaler vulnerabilities?

Citrix says it has no evidence that attackers have exploited these six vulnerabilities in the wild. Administrators should still patch quickly because NetScaler appliances are high-value edge devices.

What extra step is needed for CVE-2026-13474?

After upgrading, administrators must check the Http2SmallWndTimeout setting. Appliances not using HTTP Strict Profiles may need the value manually set to 30 seconds to fully address the HTTP/2 denial-of-service issue.

Which NetScaler vulnerability allows arbitrary file read?

CVE-2026-10816 can allow unauthenticated arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages