CVE-2026-11596

MEDIUM

Connectwise ScreenConnect - Improper Validation of Specified Quantity in Input

Title source: rule

Description

In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.

References (1)

Core 1

Core References

https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596

View Writeup ZIP pw:eip

Scores

CVSS v3 4.7

EPSS 0.0022

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1284

Status published

Products (1)

ConnectWise/ScreenConnect All versions prior to 26.2

Published Jun 10, 2026

Tracked Since Jun 11, 2026