CVE-2026-8451

HIGH EXPLOITED

NetScaler - Insufficient Input Validation Leading to Memory Overread

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2026-8451 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 7 public exploits from researchers including HermesNA-1, derekpreston81, watchtowrlabs.

AI-analyzed exploit summary This repository contains an auto-generated stub module for CVE-2026-8451, an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway configured as a SAML IDP, leading to memory overread. The code lacks actual exploit implementation and only includes placeholder logic for connectivity checks.

Description

Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured as a SAML IDP

Exploits (7)

github STUB 1 stars
by HermesNA-1 · pythonpoc
https://github.com/HermesNA-1/SnakeSploit/tree/main/data/modules_generated/cve-2026-8451_insufficient_input_validation.py

This repository contains an auto-generated stub module for CVE-2026-8451, an insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway configured as a SAML IDP, leading to memory overread. The code lacks actual exploit implementation and only includes placeholder logic for connectivity checks.

Classification
Stub 99%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: NetScaler ADC and NetScaler Gateway (SAML IDP configuration)
No auth needed
Prerequisites: Target must be configured as a SAML Identity Provider (IDP) · Network access to the target on the specified port
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →
github SCANNER 1 stars
by derekpreston81 · pythonpoc
https://github.com/derekpreston81/CVE_ADC_IOC_2026

This repository contains a Python script that scans NetScaler configuration files for preconditions associated with multiple CVEs, including CVE-2026-8451. It does not exploit the vulnerabilities but detects configurations that may indicate vulnerability.

Classification
Scanner 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: NetScaler ADC
No auth needed
Prerequisites: access to NetScaler configuration file or SSH credentials
mistral-large-3 · analyzed Jul 01, 2026 Full analysis →
github WORKING POC 1 stars
by watchtowrlabs · pythoninfoleak
https://github.com/watchtowrlabs/watchTowr-vs-Netscaler-CVE-2026-8451

This repository contains a functional exploit for CVE-2026-8451, a memory overread vulnerability in Citrix Netscaler. The PoC sends crafted SAML requests to trigger the vulnerability and leaks memory contents via the NSC_TASS cookie.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix Netscaler ADC and Gateway (versions 14.1 before 14.1-72.61, 13.1 before 13.1-63.18, and FIPS/NDcPP versions)
No auth needed
Prerequisites: Network access to the target Netscaler device · SAML endpoint exposed
mistral-large-3 · analyzed Jul 01, 2026 Full analysis →
github WORKING POC
by amnsecurity · pythonpoc
https://github.com/amnsecurity/CVE-2026-8451-CitrixBleed

This repository contains a functional exploit for CVE-2026-8451, a pre-authentication out-of-bounds read vulnerability in Citrix NetScaler ADC/Gateway (SAML IdP mode). The exploit sends malformed SAML AuthnRequest payloads to trigger memory leaks via XML parser mishandling, exposing sensitive process memory in HTTP responses.

Classification
Working Poc 98%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix NetScaler ADC and NetScaler Gateway (SAML IdP mode), versions 14.1 < 14.1-72.61 and 13.1 < 13.1-63.18
No auth needed
Prerequisites: Target must be configured as a SAML Identity Provider (IdP) · Access to `/saml/login` endpoint · Affected NetScaler version
mistral-large-3 · analyzed Jul 08, 2026 Full analysis →
github WRITEUP
by 0xBlackash · infoleak
https://github.com/0xBlackash/CVE-2026-8451

This repository provides a detailed technical analysis of CVE-2026-8451, a pre-authentication memory disclosure vulnerability (CWE-125) in Citrix NetScaler ADC/Gateway configured as a SAML Identity Provider. The writeup includes root cause analysis, affected versions, patch details, and mitigation strategies but does not contain exploit code.

Classification
Writeup 98%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: Citrix NetScaler ADC and NetScaler Gateway (SAML IdP configurations)
No auth needed
Prerequisites: NetScaler ADC/Gateway configured as a SAML Identity Provider · Network access to the `/saml/login` endpoint
mistral-large-3 · analyzed Jul 03, 2026 Full analysis →
github SUSPICIOUS
by HORKimhab · poc
https://github.com/HORKimhab/poc-cve-collection/tree/main/2026/8xxx/CVE-2026-8451.md

The repository contains no actual exploit code or technical analysis, only links to external GitHub repositories and an encrypted backup file hosted on a third-party archive service. The description is vague and lacks depth or technical details about the vulnerability mechanics.

Classification
Suspicious 98%
Attack Type
Info Leak
Complexity
Unknown
Reliability
Unknown
Target: NetScaler ADC and NetScaler Gateway (SAML IDP configuration)
No auth needed
Prerequisites: NetScaler ADC or NetScaler Gateway configured as a SAML IDP
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →
github WORKING POC
by attarwahyup · pythoninfoleak
https://github.com/attarwahyup/Netscaler-CVE-2026-8451

This repository contains a functional exploit PoC for CVE-2026-8451, a memory overread vulnerability in Citrix NetScaler. The script crafts malformed SAML requests to trigger memory leaks, demonstrating the vulnerability by dumping leaked bytes from the NSC_TASS cookie.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Citrix NetScaler ADC and Gateway (versions 14.1 before 14.1-72.61, 13.1 before 13.1-63.18, and FIPS/NDcPP versions)
No auth needed
Prerequisites: Network access to the target NetScaler instance · SAML endpoint exposed at /saml/login
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →

Scores

CVSS v3 7.5
EPSS 0.0050
EPSS Percentile 39.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-07-01
CWE
CWE-125
Status published
Products (10)
citrix/netscaler_application_delivery_controller 14.1-66.68
citrix/netscaler_application_delivery_controller < 13.1-37.272 (2 CPE variants)
citrix/netscaler_application_delivery_controller 13.1 - 13.1-63.18
citrix/netscaler_gateway 13.1 - 13.1-63.18
NetScaler/ADC 13.1 - 63.18
NetScaler/ADC 13.1 FIPS and NDcPP - 37.272
NetScaler/ADC 14.1 - 72.61
NetScaler/ADC 14.1 FIPs - 72.61
NetScaler/Gateway 13.1 - 63.18
NetScaler/Gateway 14.1 - 72.61
Published Jun 30, 2026
Tracked Since Jun 30, 2026