Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionNVD
In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.
AnalysisAI
ScreenConnect versions prior to 26.2 permit an authenticated user holding Host Pass creation privileges to bypass the intended maximum token expiration duration when generating delegated access tokens. The root cause is improper input validation (CWE-1284) on the duration field in the Host Pass workflow, allowing the value to exceed its designed upper bound. While no public exploit or CISA KEV listing exists at time of analysis, successful abuse results in the creation of anomalously long-lived access tokens, extending delegated access well beyond the security policy limit - a persistence and access-control integrity risk.
Technical ContextAI
ScreenConnect is ConnectWise's remote support and access platform. The 'Host Pass' feature allows privileged users to generate time-limited delegated access tokens that can be shared with third parties for scoped, temporary sessions. The vulnerability maps to CWE-1284 (Improper Validation of Specified Quantity in Input), meaning the application fails to enforce an upper bound on a user-supplied numeric quantity - specifically the token TTL (time-to-live) duration. Rather than capping the submitted expiration value at a server-enforced maximum, the application accepts an out-of-range integer, resulting in tokens that remain valid far longer than intended. The affected CPE is cpe:2.3:a:connectwise:screenconnect:*:*:*:*:*:*:*:* for all versions preceding 26.2.
RemediationAI
Vendor-released patch: ScreenConnect 26.2. Upgrade to version 26.2 or later, which enforces a server-side maximum on token expiration duration in the Host Pass creation workflow. Details are available in the ConnectWise advisory at https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596. If immediate patching is not feasible, a targeted compensating control is to audit and revoke Host Pass creation privileges from all non-essential user accounts - this eliminates the privilege prerequisite and fully neutralizes exploitation. Administrators should also audit currently active Host Pass tokens for anomalously long expiration dates and revoke any that exceed the expected maximum, as tokens generated prior to patching are not automatically invalidated by the upgrade. Restricting Host Pass creation to a minimal set of trusted accounts should be treated as a standing hardening measure regardless of patch status.
More in Screenconnect
View allA cryptographic authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers who gain access
ConnectWise ScreenConnect versions 22.6 and below contained a flaw allowing potential brute force attacks on custom acce
ConnectWise ScreenConnect 25.2.3 and earlier may be susceptible to ViewState code injection when machine keys are compro
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36079
GHSA-ff2m-7qh4-77hp