Description
In ScreenConnect™ versions prior to 26.2, input
validation within the Host Pass creation functionality could allow an
authenticated user with Host Pass creation privileges the ability to specify a
token expiration duration beyond the intended maximum when generating delegated
access tokens.
Published: 2026-06-10
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Input validation in the Host Pass creation workflow allows an authenticated user with Host Pass creation privileges to specify a token expiration duration beyond the intended maximum when generating delegated access tokens. The result is that the user can create long‑lived delegation tokens that remain valid for longer than the system normally permits, potentially giving them continued access to the host even after normal revocation periods have passed. The privilege level required is already that of a Host Pass creator, so the attack is limited to the user’s existing access rights but can enable lingering presence or repeated unauthorized activities.

Affected Systems

ConnectWise ScreenConnect on‑prem installations before version 26.2 are affected. In the Cloud deployment no action is required as the servers have already been updated.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity. The exploit requires authentication and Host Pass creation rights, so it is a credential‑based attack that would be executed by a trusted user. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting low to moderate likelihood of exploitation at this time.

Generated by OpenCVE AI on June 10, 2026 at 19:51 UTC.

Remediation

Vendor Solution

Cloud: No action is required. ScreenConnect servers hosted in the ScreenConnect cloud environment have been updated to remediate this issue. On-prem: Upgrade to ScreenConnect version 26.2 or later.

OpenCVE Recommended Actions

  • Upgrade on‑prem ScreenConnect installations to version 26.2 or later.
  • Limit the assignment of Host Pass creation privileges to only trusted, necessary users.
  • Audit delegated access token lifetimes to detect anomalously long expiration values.

Generated by OpenCVE AI on June 10, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Authenticated Host Pass Creation Allows Arbitrary Token Expiration in ScreenConnect

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Connectwise
Connectwise screenconnect
Vendors & Products Connectwise
Connectwise screenconnect

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Connectwise Screenconnect
cve-icon MITRE

Status: PUBLISHED

Assigner: ConnectWise

Published:

Updated: 2026-06-10T18:18:41.537Z

Reserved: 2026-06-08T14:17:16.449Z

Link: CVE-2026-11596

cve-icon Vulnrichment

Updated: 2026-06-10T18:18:38.074Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T18:16:40.113

Modified: 2026-06-10T20:19:35.917

Link: CVE-2026-11596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:00:16Z

Weaknesses