Citrix security advisory (AV26-645) – Update 1
Serial number: AV26-645 Date: June 30, 2026 Updated: July 2, 2026 On June 30, 2026, Citrix published a security advisory to address critical vulnerabilities in the following products: NetScaler ADC and NetScaler Gateway - versions 14.1 before 14.1-72.61 NetScaler ADC and NetScaler Gateway - versions 13.1 before 13.1-63.18 NetScaler ADC FIPS – versions before 14.1-72.61 FIPS NetScaler ADC FIPS and NDcPP – versions before 13.1-37.272 Update 1 Open-source reporting indicates that CVE-2026-8451 is being exploited. The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates. NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2026-8451, CVE-2026-8452, CVE-2026-8655, CVE-2026-10816, CVE-2026-10817, and CVE-2026-13474 Citrix Security Advisories
CSIRTS triage
- What
- Critical vulnerabilities related to insufficient input validation and memory management have been identified.
- Who is affected
- Users of NetScaler ADC and NetScaler Gateway running affected versions.
- Urgency
- Remediation is critical as one of the vulnerabilities is reportedly being exploited.
- Action
- Review the security bulletin and apply updates immediately.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch NetScaler ADC and NetScaler Gateway
Get an email when a new NetScaler ADC and NetScaler Gateway advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cyber.gc.ca/en/alerts-advisories/citrix-security-advisory-av26-645
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-84510.50% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 39% of all scored CVEs.
- Low exploitation riskCVE-2026-84520.49% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 38% of all scored CVEs.
- Low exploitation riskCVE-2026-86550.46% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2026-108160.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-108170.41% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 33% of all scored CVEs.
- Low exploitation riskCVE-2026-134740.44% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-8451 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-8452 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-8655 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-10816 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-10817 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-13474 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownCitrix Products Multiple Vulnerabilitieshkcert
- unknownAL26-016 - Vulnerability impacting Citrix NetScaler CVE-2026-8451cccs
- high[UPDATE] [high] Citrix Systems NetScaler ADC and Gateway: Multiple vulnerabilitiescert-bund
- unknownMultiple vulnerabilities in Citrix products (July 1, 2026)cert-fr-avis
- unknownNCSC-2026-0216 [1.00] [M/H] Vulnerabilities fixed in Citrix Netscaler ADC and Netscaler Gatewayncsc-nl
- criticalCVE-2026-8655: Multiple Memory overflow vulnerabilities in NetScaler ADC and NetScaler Gateway leading to unpr…nvd
- criticalCVE-2026-8452: Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or e…nvd
- highCVE-2026-8451: Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread…nvd
- highCVE-2026-13474: Denial of service via malformed HTTP/2 requests in NetScaler ADC and NetScaler Gateway if HTTP…nvd
- highCVE-2026-10817: Insufficient input validation leading to memory overread in NetScaler ADC and NetScaler Gatewa…nvd
- highCVE-2026-10816: Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to …nvd
More from Canadian Centre for Cyber Security
- unknownBitWarden security advisory (AV26-683)2026-07-10
- criticalAL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 12026-07-10
- unknownMicrosoft Edge security advisory (AV26-682)2026-07-10
- criticalBroadcom VMware security advisory (AV26-681)2026-07-10
- unknownDjango security advisory (AV26-084) – Update 12026-07-09