What the flaw actually leaks

CVE-2026-8451 lives in NetScaler ADC and NetScaler Gateway when the appliance is configured as a SAML identity provider, the box that authenticates your staff before they reach anything inside. The XML parser at the /saml/login endpoint fails to stop reading an attribute value when it meets a newline, so it walks past the end of the buffer and copies whatever sits in adjacent memory into the NSC_TASS cookie it returns.

That adjacent memory is not random noise. An identity gateway handles a constant stream of logins, so its memory holds session tokens, cookies and credentials for the people currently working. Leak enough of it and an attacker replays a live session, arriving as an already-authenticated employee and stepping around multi-factor prompts entirely, because the token they hold was minted after the second factor was already satisfied.

The patch was not the finish line

Citrix shipped the fix on 30 June 2026 in advisory CTX696604. Within roughly a day, sensors were catching live exploitation, and by the fourth day CrowdSec had counted 71 unique malicious addresses and 424 exploitation signals, with a single-day peak of 127. The window between a public patch and mass exploitation is now measured in hours, not weeks, because the patch itself tells attackers exactly where to look.

This is the same class of bug that made the original CitrixBleed one of the most damaging flaws of 2023, and it keeps returning to the same product for a reason. The gateway that authenticates an entire organisation is the single highest-value box on the network, so one leaked appliance can undo every other control behind it, which is why it earns a same-day patch commitment that most firms reserve for nothing else.

What to do before the weekend

Upgrade NetScaler ADC and Gateway to 14.1-72.61 or 13.1-63.18 or later, then check whether your appliance is actually configured as a SAML identity provider, since that is the exposed path. The flaw is on the CISA known-exploited list and has drawn advisories from the UK NCSC, which for many operators is the trigger that moves it from backlog to same-day.

Then evict the sessions. A patch stops new memory from leaking, but a token stolen an hour before you patched still logs in, so terminate active sessions and force re-authentication after you update. Under NIS2 the duty to report a resulting breach falls on you as the operator, even though the flaw sits in a vendor appliance, so the record of when you patched and when you rotated matters as much as the fix itself.