PT-2026-53879 · Citrix · Netscaler Gateway+1

Published

2026-03-28

·

Updated

2026-07-04

·

CVE-2026-8451

CVSS v2.0

9.7

High

VectorAV:N/AC:L/Au:N/C:C/I:P/A:C
Name of the Vulnerable Software and Affected Versions NetScaler ADC versions prior to 14.1-72.61 NetScaler ADC versions prior to 13.1-63.18 NetScaler ADC FIPS versions prior to 14.1-72.61 FIPS NetScaler ADC NDcPP versions prior to 13.1-37.272 NetScaler Gateway versions prior to 14.1-72.61 NetScaler Gateway versions prior to 13.1-63.18
Description Insufficient input validation in the custom SAML XML parser leads to a memory overread when the system is configured as a SAML Identity Provider (IdP). An unauthenticated remote attacker can send a crafted AuthnRequest to the /saml/login endpoint where the AssertionConsumerServiceURL or ID attributes lack a closing quote and are followed by a newline. This causes the parser to read past the input buffer, leaking process memory—including heap pointers, session data fragments, internal process structures, and authentication tokens—into the NSC TASS cookie returned in the HTTP 302 response. This memory leak can be used as an ASLR (Address Space Layout Randomization) bypass primitive or cause the nsppe process to crash, resulting in a denial-of-service. Real-world exploitation was detected within 24 hours of disclosure.
Recommendations Update NetScaler ADC to version 14.1-72.61 or later. Update NetScaler ADC to version 13.1-63.18 or later. Update NetScaler ADC FIPS to version 14.1-72.61 FIPS or later. Update NetScaler ADC NDcPP to version 13.1-37.272 or later. Update NetScaler Gateway to version 14.1-72.61 or later. Update NetScaler Gateway to version 13.1-63.18 or later. As a temporary mitigation, disable the SAML Identity Provider (IdP) mode if it is not required.

Fix

LPE

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-08971
CVE-2026-8451

Affected Products

Netscaler Adc
Netscaler Gateway