CitrixBleed-Class NetScaler ADC/Gateway SAML AuthnRequest Memory Disclosure (CVE-2026-8451) Exploited Within 24 Hours of Disclosure — Threadlinqs Intelligence
Threat ID: TL-2026-1078 · Severity: CRITICAL · CVSS: 8.8 · Status: ACTIVE · Category: VULNERABILITY
A pre-authentication out-of-bounds read (CVSS 8.8) in NetScaler ADC/Gateway's custom SAML XML parser fails to terminate unquoted AuthnRequest attribute values on whitespace/newlines, causing an
CVE-2026-8451 is a high-severity (CVSS 4.0: 8.8) memory-disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances configured as SAML Identity Providers, disclosed by Citrix on 2026-06-30 via advisory CTX696604 alongside five related CVEs (CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474). The flaw was discovered by watchTowr Labs researcher Aliz Hammond in late March 2026 while reproducing a separate NetScaler vulnerability, CVE-2026-3055.
The root cause lies in NetScaler's decision to implement a custom, non-standard XML parser for SAML AuthnRequest documents rather than a vetted library. The parser's attribute-value tokenizer terminates unquoted values only when it encounters a null byte, a closing angle bracket ('>'), or a matching quote character -- it does not treat whitespace or newline characters as terminators, and it lacks bounds checking against the allocated input buffer. An attacker can submit a malformed, base64-encoded SAMLRequest to the unauthenticated /saml/login endpoint containing an unterminated opening <samlp:AuthnRequest> tag with an attribute such as AssertionConsumerServiceURL left blank, unquoted, and followed by a newline instead of a closing quote. The lenient tag-closure logic also allows a <saml:Issuer> element to be supplied outside the AuthnRequest element itself. Together these parser leniencies force the attribute-value reader to walk past the end of the intended input buffer and into adjacent heap memory, byte by byte, until it happens to encounter a terminator character.
The over-read bytes are captured as the (spoofed) attribute value and are subsequently embedded by NetScaler into the NSC_TASS authentication cookie returned to the client. Decoding the base64 cookie reveals raw process memory content -- watchTowr researchers confirmed genuine memory disclosure (rather than null-padding) by observing recognizable heap fill patterns (0xdeadbeef) and plausible pointer-like values (e.g., 0xa10ca7ed) in leaked output. Because the read walks byte-by-byte until any of a narrow set of terminators appears, single requests generally leak small, precisely-bounded memory fragments rather than the multi-kilobyte leaks characteristic of the earlier CVE-2026-3055 variant -- but repeated requests allow an attacker to harvest session tokens, internal pointers, and other sensitive appliance memory over time. A minimized, malformed variant of the same payload (a bare, unterminated <samlp:AuthnRequest ID= element with no closing tag) reliably crashes the nsppe worker process, giving attackers a low-cost, unauthenticated denial-of-service primitive against the same code path.
This places CVE-2026-8451 squarely in the CitrixBleed lineage that began with CVE-2023-4966 (the original CitrixBleed, CVSS 9.4, exploited at scale by LockBit 3.0 ransomware affiliates against Boeing, ICBC, Allen & Overy, and DP World via HTTP Host-header manipulation to leak AAA session cookies and hijack authenticated sessions without credentials or MFA) and continuing through CVE-2025-5777, CVE-2025-12101, and CVE-2026-3055. Each variant has independently demonstrated that NetScaler's custom XML/HTTP parsing layers are a recurring, systemic source of pre-auth memory disclosure in edge/VPN-gateway infrastructure -- a device class that is internet-facing by design and therefore an especially attractive initial-access vector for ransomware affiliates and APT groups alike.
Within 24 hours of the 2026-06-30 public disclosure and patch release, a single actor operating from 146.70.139.154 (M247 Europe SRL, AS9009, Frankfurt/Romania-registered hosting) began opportunistic, unauthenticated scanning and exploitation attempts against the /saml/login endpoint using a python-requests/2.32.5 automated client, sending crafted <samlp:AuthnRequest> payloads with 400+ space-padded attribute values consistent with reproduction of the public watchTowr research and/or its companion Detection Artefact Ge
Weaknesses (CWE)
CWE-125, CWE-119, CWE-20, CWE-287
Target sectors: government administration, finance, health, technology, legal, manufacturing, critical-infrastructure, education
Target regions: North America, Europe, Asia-Pacific, Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 20 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, CVE-2026-13474, CVE-2023-4966, CVE-2025-5777, CVE-2025-12101, CVE-2026-3055, T1595, T1583, T1588, T1190, T1539, T1606, T1212, T1518, T1550, T1210