Skip to main content

ConnectWise ScreenConnect CVE-2026-11596

| EUVDEUVD-2026-36079 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-10 ConnectWise GHSA-ff2m-7qh4-77hp
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 18:57 vuln.today

DescriptionNVD

In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.

AnalysisAI

ScreenConnect versions prior to 26.2 permit an authenticated user holding Host Pass creation privileges to bypass the intended maximum token expiration duration when generating delegated access tokens. The root cause is improper input validation (CWE-1284) on the duration field in the Host Pass workflow, allowing the value to exceed its designed upper bound. While no public exploit or CISA KEV listing exists at time of analysis, successful abuse results in the creation of anomalously long-lived access tokens, extending delegated access well beyond the security policy limit - a persistence and access-control integrity risk.

Technical ContextAI

ScreenConnect is ConnectWise's remote support and access platform. The 'Host Pass' feature allows privileged users to generate time-limited delegated access tokens that can be shared with third parties for scoped, temporary sessions. The vulnerability maps to CWE-1284 (Improper Validation of Specified Quantity in Input), meaning the application fails to enforce an upper bound on a user-supplied numeric quantity - specifically the token TTL (time-to-live) duration. Rather than capping the submitted expiration value at a server-enforced maximum, the application accepts an out-of-range integer, resulting in tokens that remain valid far longer than intended. The affected CPE is cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:* for all versions preceding 26.2.

RemediationAI

Vendor-released patch: ScreenConnect 26.2. Upgrade to version 26.2 or later, which enforces a server-side maximum on token expiration duration in the Host Pass creation workflow. Details are available in the ConnectWise advisory at https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596. If immediate patching is not feasible, a targeted compensating control is to audit and revoke Host Pass creation privileges from all non-essential user accounts - this eliminates the privilege prerequisite and fully neutralizes exploitation. Administrators should also audit currently active Host Pass tokens for anomalously long expiration dates and revoke any that exceed the expected maximum, as tokens generated prior to patching are not automatically invalidated by the upgrade. Restricting Host Pass creation to a minimal set of trusted accounts should be treated as a standing hardening measure regardless of patch status.

Share

CVE-2026-11596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy