CVE-2026-11596

MEDIUM 4.7

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

0th

In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.

CWE	CWE-1284
Vendor	connectwise
Product	screenconnect
Published	Jun 10, 2026
Last Updated	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for connectwise screenconnect

Be the first to know when new medium vulnerabilities affecting connectwise screenconnect are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected Versions

ConnectWise / ScreenConnect

All versions prior to 26.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596

Credits

Damian West (Austin Group)