CVE-2026-11596
Awaiting Analysis Awaiting Analysis - Queue
Input Validation Flaw in ScreenConnect Host Pass Creation

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: ConnectWise

Description
In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-11596
EUVD
EUVD-2026-36079
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
screenconnect screenconnect to 26.2 (exc)
connectwise screenconnect to 26.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11596 is a vulnerability in ScreenConnect versions prior to 26.2 involving improper input validation in the Host Pass creation functionality.

This flaw allows an authenticated user who has Host Pass creation privileges to specify a token expiration duration that exceeds the intended maximum limit when generating delegated access tokens.

As a result, delegated access tokens could remain valid longer than intended, potentially increasing the risk of unauthorized access.

Compliance Impact

This vulnerability allows authenticated users with Host Pass creation privileges to generate delegated access tokens with expiration durations beyond the intended maximum, potentially resulting in tokens remaining valid longer than intended.

Extended token validity could increase the risk of unauthorized access or prolonged access to sensitive data, which may impact compliance with standards and regulations such as GDPR and HIPAA that require strict access controls and timely revocation of access.

However, the provided information does not explicitly detail the direct compliance impact or specific regulatory implications.

Impact Analysis

The vulnerability can impact you by allowing delegated access tokens to remain valid for longer than intended, which increases the window of opportunity for misuse or unauthorized access.

Since the tokens grant delegated access, extended validity could lead to elevated risks of data exposure or unauthorized actions within the affected ScreenConnect environment.

The CVSS score of 4.7 (Medium) reflects that this vulnerability has a moderate impact on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade ScreenConnect to version 26.2 or later, which contains the patch for this issue.

For cloud-hosted ScreenConnect servers, no action is required as they have already been updated.

For on-premise deployments, users should perform the upgrade to version 26.2 or later as soon as possible.

For Automate-integrated ScreenConnect deployments, apply ScreenConnect 26.2 or the latest version through the Automate Product Updates page.

Users with out-of-maintenance licenses must renew or upgrade their licenses before installing the latest supported release.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11596. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart