Multiple Vulnerabilities in NetScaler Products
2 July 2026
Attackers can exploit multiple vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway to read arbitrary files, trigger denial-of-service conditions, and disclose sensitive memory contents. Patch immediately.
Background
Citrix has released security updates to address multiple vulnerabilities affecting NetScaler ADC and NetScaler Gateway.
These vulnerabilities have Common Vulnerability Scoring System (CVSS v4.0) scores of: CVE-2026-8451 at 8.8, CVE-2026-8452 at 8.8, CVE-2026-8655 at 8.8, CVE-2026-10816 at 7.1, CVE-2026-10817 at 6.9, and CVE-2026-13474 at 8.7 out of 10.
Impact
Successful exploitation of these vulnerabilities could lead to the following:
CVE-2026-8451: Due to insufficient input validation, an attacker could trigger memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML Identity Provider (IDP), potentially disclosing sensitive memory content
s.
CVE-2026-8452: Due to a memory overflow vulnerability, an attacker could cause unpredictable or erroneous behaviour and denial-of-service when the appliance is configured as a Gateway or an AAA virtual server.
CVE-2026-8655: Due to multiple memory overflow vulnerabilities, an attacker could cause unpredictable or erroneous behaviour and denial-of-service when NetScaler ADC is configured as a load balancer of type Oracle, a DNS Proxy, or a DNS recursive resolver.
CVE-2026-10816: Due to external control of file name or path, an unauthenticated attacker could perform arbitrary file read
swhen access to NSIP, Cluster Management IP, or SNIP with management access is enabled.
CVE-2026-10817: Due to insufficient input validation, an attacker could trigger memory overread when TCP TimeStamp is enabled in a TCP Profile associated with a virtual server or service configured on NetScaler.
CVE-2026-13474: Due to a missing release of memory after its effective lifetime, an attacker could cause denial-of-service via malformed HTTP/2 requests when HTTP/2 is enabled in an HTTP Profile associated with a virtual server or service configured on NetScaler.
Affected Products
These vulnerabilities affect the following versions of NetScaler ADC and NetScaler Gateway:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-72.61
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-63.18
NetScaler ADC FIPS before 14.1-72.61 FIPS
NetScaler ADC FIPS and NDcPP before 13.1-37.272
Recommendations
Users and administrators of affected products are advised to update to the latest versions immediately.
For CVE-2026-13474, administrators should also set the Http2SmallWndTimeout parameter to 30 seconds, particularly on appliances not using HTTP Strict Profiles where the default value is 0. Please refer to Citrix's advisory here for the specific configuration steps required.
References
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696604
https://nvd.nist.gov/vuln/detail/CVE-2026-8451
https://nvd.nist.gov/vuln/detail/CVE-2026-8452
https://nvd.nist.gov/vuln/detail/CVE-2026-8655
https://nvd.nist.gov/vuln/detail/CVE-2026-10816
https://nvd.nist.gov/vuln/detail/CVE-2026-10817
https://nvd.nist.gov/vuln/detail/CVE-2026-13474
https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
