PT-2026-53879 · Citrix · Netscaler Gateway+1
Published
2026-03-28
·
Updated
2026-07-04
·
CVE-2026-8451
CVSS v2.0
9.7
High
| Vector | AV:N/AC:L/Au:N/C:C/I:P/A:C |
Name of the Vulnerable Software and Affected Versions
NetScaler ADC versions prior to 14.1-72.61
NetScaler ADC versions prior to 13.1-63.18
NetScaler ADC FIPS versions prior to 14.1-72.61 FIPS
NetScaler ADC NDcPP versions prior to 13.1-37.272
NetScaler Gateway versions prior to 14.1-72.61
NetScaler Gateway versions prior to 13.1-63.18
Description
Insufficient input validation in the custom SAML XML parser leads to a memory overread when the system is configured as a SAML Identity Provider (IdP). An unauthenticated remote attacker can send a crafted
AuthnRequest to the /saml/login endpoint where the AssertionConsumerServiceURL or ID attributes lack a closing quote and are followed by a newline. This causes the parser to read past the input buffer, leaking process memory—including heap pointers, session data fragments, internal process structures, and authentication tokens—into the NSC TASS cookie returned in the HTTP 302 response. This memory leak can be used as an ASLR (Address Space Layout Randomization) bypass primitive or cause the nsppe process to crash, resulting in a denial-of-service. Real-world exploitation was detected within 24 hours of disclosure.Recommendations
Update NetScaler ADC to version 14.1-72.61 or later.
Update NetScaler ADC to version 13.1-63.18 or later.
Update NetScaler ADC FIPS to version 14.1-72.61 FIPS or later.
Update NetScaler ADC NDcPP to version 13.1-37.272 or later.
Update NetScaler Gateway to version 14.1-72.61 or later.
Update NetScaler Gateway to version 13.1-63.18 or later.
As a temporary mitigation, disable the SAML Identity Provider (IdP) mode if it is not required.
Fix
LPE
Out of bounds Read
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Netscaler Adc
Netscaler Gateway