Citrix Fixes Six NetScaler Flaws That Can Allow File Read and DoS Attacks
Citrix has released security updates for six NetScaler ADC and NetScaler Gateway vulnerabilities that can expose appliances to memory overread, arbitrary file read, and denial-of-service attacks.
The company published the NetScaler security bulletin on June 30, 2026. The flaws affect customer-managed NetScaler ADC and NetScaler Gateway deployments, including FIPS and NDcPP builds.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Administrators should treat the update as urgent, especially for internet-facing appliances. NetScaler devices often sit at the edge of enterprise networks, where they handle remote access, authentication, load balancing, and application delivery.
Six NetScaler vulnerabilities were patched
The patched issues are tracked as CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474.
The Canadian Centre for Cyber Security also issued a Citrix security advisory on June 30, 2026, urging users and administrators to review Citrixโs guidance and apply the updates.
Citrix says it has no evidence that attackers have exploited these specific vulnerabilities in the wild. Even so, defenders should not delay because NetScaler appliances have repeatedly attracted attackers after past high-profile disclosures.
| CVE | CVSS score | Main issue | Required configuration |
|---|---|---|---|
| CVE-2026-8451 | 8.8 | Memory overread | NetScaler configured as a SAML Identity Provider |
| CVE-2026-8452 | 8.8 | Memory overflow and denial of service | Gateway or AAA virtual server |
| CVE-2026-8655 | 8.8 | Multiple memory overflow issues and denial of service | Oracle load balancing, DNS proxy, or DNS recursive resolver deployment |
| CVE-2026-10816 | 7.7 | Unauthenticated arbitrary file read | Management access enabled through NSIP, Cluster Management IP, or SNIP |
| CVE-2026-10817 | 6.9 | Memory overread | TCP TimeStamp enabled in an attached TCP profile |
| CVE-2026-13474 | 8.7 | Denial of service through malformed HTTP/2 requests | HTTP/2 enabled in an attached HTTP profile |
CVE-2026-8451 affects SAML IdP deployments
CVE-2026-8451 is one of the most important flaws in the bulletin because it affects NetScaler appliances configured as SAML Identity Providers.
Security researchers at watchTowr Labs analyzed the flaw and said it comes from how NetScaler parses malformed SAML authentication requests.
The researchers said the issue shares the same broad root cause as earlier NetScaler SAML memory overread bugs. In practice, their testing showed that attackers could leak small amounts of memory by varying malformed request lengths.
Why memory overread bugs matter
A memory overread flaw can expose data that the appliance should never return to a remote user. The exact data can vary, but edge identity systems often handle sensitive authentication material.
watchTowr said this new issue appears more limited than some previous NetScaler memory disclosure bugs because the leak stops when certain control characters appear. That still leaves concern because even small leaks can help attackers when paired with another flaw.
The bigger risk comes from the appliance role. Many organizations use NetScaler as a gateway or identity control point, so a bug on the appliance can affect remote access, session handling, and internal application exposure.
File read risk centers on management access
CVE-2026-10816 can allow unauthenticated arbitrary file read when management access is available through NSIP, Cluster Management IP, or SNIP.
This makes management-plane exposure a major concern. Administrators should confirm that management interfaces do not face the public internet and that only trusted administrative networks can reach them.
Even after patching, teams should review access rules around NSIP, Cluster Management IP, and SNIP with management access. A patched appliance still benefits from a smaller management attack surface.
Several flaws can trigger denial of service
CVE-2026-8452, CVE-2026-8655, and CVE-2026-13474 can cause denial-of-service conditions under specific configurations.
CVE-2026-8452 affects appliances configured as a Gateway or AAA virtual server. CVE-2026-8655 affects certain Oracle load balancing, DNS proxy, DNS over HTTPS, DNS over TLS, or recursive resolver configurations.
CVE-2026-13474 involves malformed HTTP/2 requests when HTTP/2 is enabled in an attached HTTP profile. This flaw needs extra attention because some customers must change a profile setting after upgrading.
| Product branch | Fixed release |
|---|---|
| NetScaler ADC and NetScaler Gateway 14.1 | 14.1-72.61 and later |
| NetScaler ADC and NetScaler Gateway 13.1 | 13.1-63.18 and later releases of 13.1 |
| NetScaler ADC 14.1-FIPS | 14.1-72.61 FIPS and later releases of 14.1-FIPS |
| NetScaler ADC 13.1-FIPS and 13.1-NDcPP | 13.1-37.272 and later releases of 13.1-FIPS and 13.1-NDcPP |
CVE-2026-13474 may require a manual HTTP/2 change
Citrix says customers must review the Http2SmallWndTimeout parameter for CVE-2026-13474. This setting controls the timeout for HTTP/2 small-window stalled streams.
For appliances using HTTP Strict Profiles, the parameter defaults to 30 seconds after the upgrade. For appliances that do not use HTTP Strict Profiles, the default value remains 0.
That matters because a value of 0 can leave the issue only partly addressed. Customers using non-strict HTTP profiles must manually set Http2SmallWndTimeout to 30 seconds after upgrading to a fixed build.
set ns httpProfile <profile_name> -http2SmallWndTimeout 30
How to check whether an appliance meets the preconditions
The Citrix bulletin includes configuration strings that customers can inspect to identify exposed roles and profiles.
For CVE-2026-8451, administrators should look for SAML IdP profile configuration. For CVE-2026-8452, they should check for Gateway or AAA virtual servers.
For CVE-2026-13474, teams should identify HTTP profiles with HTTP/2 enabled, then map those profiles to LB, CS, and VPN virtual servers or services.
- Check for SAML IdP profiles with add authentication samlIdPProfile.
- Check Gateway and AAA virtual servers with add vpn vserver and add authentication vserver.
- Review Oracle and DNS load-balancing configurations.
- Search TCP profiles for TimeStamp ENABLED.
- Identify HTTP profiles with HTTP/2 enabled.
- Confirm whether non-strict HTTP profiles need Http2SmallWndTimeout set to 30 seconds.
- Restrict management access to trusted administrative networks only.
watchTowr links CVE-2026-8451 to earlier NetScaler memory bugs
The new SAML memory overread issue follows earlier NetScaler memory disclosure vulnerabilities, including CVE-2026-3055 from March 2026.
watchTowrโs technical write-up says CVE-2026-8451 emerged while the researchers tried to reproduce and analyze earlier NetScaler SAML parsing flaws.
The researchers raised a broader concern about fragile memory handling in NetScaler appliances. Their point matters because attackers have historically moved quickly against edge devices once technical details become public.
No exploitation reported, but patching should not wait
Citrix says it has no evidence of exploitation for these six issues. That gives administrators a chance to patch before widespread probing begins.
However, NetScaler appliances have served as attractive targets for ransomware groups and espionage actors in past campaigns. Edge devices that handle authentication often give attackers a valuable position if they find a way in.
The Canadian Cyber Centre advisory lists the affected product versions and encourages administrators to apply the necessary updates.
What NetScaler administrators should do now
Administrators should first identify all customer-managed NetScaler ADC and NetScaler Gateway appliances, including test systems, disaster recovery systems, and appliances behind load balancers.
Next, they should upgrade to the fixed build for the relevant branch. After that, they should review configuration preconditions, especially SAML IdP, Gateway, AAA, DNS, TCP TimeStamp, HTTP/2, and management access settings.
For CVE-2026-13474, teams should not assume the firmware upgrade alone completes remediation. They must verify the HTTP profile setting and manually configure Http2SmallWndTimeout where required.
| Priority | Action | Reason |
|---|---|---|
| 1 | Upgrade to the fixed NetScaler build | Closes the patched vulnerabilities |
| 2 | Set Http2SmallWndTimeout to 30 seconds where needed | Completes remediation for CVE-2026-13474 on non-strict HTTP profiles |
| 3 | Restrict management access | Reduces exposure for file-read and management-plane risks |
| 4 | Review SAML, Gateway, AAA, DNS, TCP, and HTTP/2 profiles | Confirms whether preconditions apply |
| 5 | Monitor logs for malformed SAML, HTTP/2, DNS, and management requests | Helps spot testing or early exploitation attempts |
FAQ
Citrix patched six vulnerabilities in NetScaler ADC and NetScaler Gateway. The flaws can lead to memory overread, arbitrary file read, unpredictable behavior, or denial-of-service attacks under specific configurations.
Fixed versions include NetScaler ADC and NetScaler Gateway 14.1-72.61 or later, 13.1-63.18 or later, NetScaler ADC 14.1-FIPS 14.1-72.61 FIPS or later, and NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.272 or later.
Citrix says it has no evidence that attackers have exploited these six vulnerabilities in the wild. Administrators should still patch quickly because NetScaler appliances are high-value edge devices.
After upgrading, administrators must check the Http2SmallWndTimeout setting. Appliances not using HTTP Strict Profiles may need the value manually set to 30 seconds to fully address the HTTP/2 denial-of-service issue.
CVE-2026-10816 can allow unauthenticated arbitrary file read when access to NSIP, Cluster Management IP, or SNIP with management access is enabled.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages