
PEACH
Un cadre d’isolation des locataires
CVE-2026-8451 is a pre-authentication memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway, dubbed "CitrixBleed To Infinity And Beyond" by researchers at watchTowr Labs. The flaw stems from insufficient input validation in the SAML IDP functionality and is only exploitable when the appliance is configured as a SAML Identity Provider (IDP). Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-72.61, 13.1 before 13.1-63.18, ADC FIPS 14.1 before 14.1-72.61, and ADC FIPS/NDcPP 13.1 before 13.1-37.272. It was discovered by watchTowr Labs on March 28, 2026, reported to Citrix the same day, and publicly disclosed on June 30, 2026. The vulnerability carries a CVSS v4.0 base score of 8.8 (High) (GitHub Advisory, watchTowr Labs).
The root cause is a custom XML attribute parser in NetScaler's SAML IDP processing code that lacks proper bounds checking (CWE-125: Out-of-bounds Read). The parser handles unquoted XML attribute values differently from quoted ones — for unquoted values, it only stops scanning on a null byte, closing >, or matching quote character, rather than on whitespace. This means a crafted SAML AuthnRequest submitted to the /saml/login endpoint with a newline-terminated or unterminated AssertionConsumerServiceURL or ID attribute causes the parser to read beyond the end of the input buffer. The overread data is then embedded into the NSC_TASS cookie returned in the HTTP 302 response, leaking arbitrary memory contents to the unauthenticated attacker. watchTowr also noted that the leaked data may include process memory pointers, potentially enabling use as an infoleak primitive for chaining with memory corruption bugs (watchTowr Labs, GitHub Advisory).
Successful exploitation allows an unauthenticated remote attacker to read arbitrary memory from the NetScaler process, potentially exposing sensitive data such as session tokens, credentials, cryptographic material, or internal memory pointers. The confidentiality impact is rated High, and the availability impact is also High — watchTowr demonstrated that certain malformed requests can reliably crash the target system, causing denial of service. While integrity impact is rated Low and there is no direct code execution, leaked memory pointers could serve as a building block for a full device compromise when chained with a memory corruption vulnerability. Given NetScaler's role as a front-door authentication and remote access gateway in enterprise environments, memory disclosure could facilitate session hijacking or lateral movement (watchTowr Labs, GitHub Advisory).
AuthnRequest XML document where the AssertionConsumerServiceURL or ID attribute value is unquoted and terminated by a newline character (or left unterminated), rather than a space or closing >./saml/login endpoint: POST /saml/login HTTP/1.1 with body SAMLRequest=<base64-encoded-payload>.NSC_TASS cookie from the HTTP 302 response. Base64-decode the cookie value to recover the overread memory bytes, which may include arbitrary process memory contents beyond the input buffer./saml/login with SAMLRequest parameters containing newline-terminated or unterminated XML attribute values; high volume of requests to the SAML IDP endpoint from a single source IP./var/log/ns.log showing AuthnReq start tag parsed with unexpected or garbled acs= or id= values containing binary data, XML fragments, or data from beyond the request buffer; repeated 302 responses to /saml/login from unauthenticated sources.NSC_TASS cookie values in HTTP responses that, when base64-decoded, contain binary data or memory artifacts not consistent with normal SAML session data.nsppe, nsnetsvc) potentially indicating exploitation attempts triggering the DoS condition (watchTowr Labs).Citrix has released patched versions: NetScaler ADC and Gateway 14.1-72.61, 13.1-63.18, ADC FIPS 14.1-72.61, and ADC FIPS/NDcPP 13.1-37.272. Organizations should upgrade to these versions immediately. As a temporary workaround if patching is not immediately possible, consider disabling SAML IDP functionality if it is not required, since the vulnerability is only exploitable when the appliance is configured as a SAML IDP. Additionally, implement network segmentation to restrict access to NetScaler SAML endpoints (/saml/login) to trusted sources only. The Citrix advisory is available at CTX696604 (GitHub Advisory, watchTowr Labs).
watchTowr Labs published a detailed technical write-up on June 30, 2026, framing CVE-2026-8451 as the latest in an ongoing class of "CitrixBleed"-style memory disclosure vulnerabilities endemic to NetScaler appliances, expressing frustration at the recurring pattern of memory management failures in a product that serves as a critical enterprise security control. The post gained significant traction on Reddit (r/netsec, r/cybersecurity, r/blueteamsec, r/SecOpsDaily) and Mastodon/Bluesky, with security researcher Kevin Beaumont (GossiTheDog) commenting on the disclosure. Media coverage appeared in CyberScoop, The Hacker News, GBHackers, and eSecurity Planet, with several outlets drawing comparisons to the original CitrixBleed (CVE-2023-4966). The Stack Technology noted that Citrix credited JPMorgan in the advisory alongside watchTowr. The Canadian Centre for Cyber Security (CCCS) issued advisory AV26-645, and SOCRadar published a dedicated blog post (watchTowr Labs, SOCRadar).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."