{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-11596", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "state": "PUBLISHED", "assignerShortName": "ConnectWise", "dateReserved": "2026-06-08T14:17:16.449Z", "datePublished": "2026-06-10T17:15:07.586Z", "dateUpdated": "2026-06-10T18:18:41.537Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2026-06-10T17:15:07.586Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1284", "description": "CWE-1284 Improper validation of specified quantity in input", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "affected": [{"vendor": "ConnectWise", "product": "ScreenConnect", "modules": ["Host Pass"], "versions": [{"status": "affected", "version": "All versions prior to 26.2"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In ScreenConnect\u2122 versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In ScreenConnect\u2122 versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.&nbsp;</p>"}]}], "references": [{"url": "https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Cloud:\u00a0No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.\n\n\n\n\n\nOn-prem:\u00a0Upgrade to ScreenConnect version 26.2 or later.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p><b>Cloud:&nbsp;</b><span>No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.</span></p>\n\n<p><b>On-prem</b>:&nbsp;<span>Upgrade to ScreenConnect version 26.2 or later.</span></p>"}]}], "credits": [{"lang": "en", "value": "Damian West (Austin Group)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-10T18:18:34.629863Z", "id": "CVE-2026-11596", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T18:18:41.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-11596", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-10T18:18:34.629863Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T18:18:38.074Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Damian West (Austin Group)"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ConnectWise", "modules": ["Host Pass"], "product": "ScreenConnect", "versions": [{"status": "affected", "version": "All versions prior to 26.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Cloud:\u00a0No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.\n\n\n\n\n\nOn-prem:\u00a0Upgrade to ScreenConnect version 26.2 or later.", "supportingMedia": [{"type": "text/html", "value": "<p><b>Cloud:&nbsp;</b><span>No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.</span></p>\n\n<p><b>On-prem</b>:&nbsp;<span>Upgrade to ScreenConnect version 26.2 or later.</span></p>", "base64": false}]}], "references": [{"url": "https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596"}], "x_generator": {"engine": "Vulnogram 1.0.2"}, "descriptions": [{"lang": "en", "value": "In ScreenConnect\u2122 versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.", "supportingMedia": [{"type": "text/html", "value": "<p>In ScreenConnect\u2122 versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.&nbsp;</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284 Improper validation of specified quantity in input"}]}], "providerMetadata": {"orgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "shortName": "ConnectWise", "dateUpdated": "2026-06-10T17:15:07.586Z"}}}, "cveMetadata": {"cveId": "CVE-2026-11596", "state": "PUBLISHED", "dateUpdated": "2026-06-10T18:18:41.537Z", "dateReserved": "2026-06-08T14:17:16.449Z", "assignerOrgId": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "datePublished": "2026-06-10T17:15:07.586Z", "assignerShortName": "ConnectWise"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In ScreenConnect\u2122 versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens."}], "id": "CVE-2026-11596", "lastModified": "2026-06-10T18:16:40.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary"}]}, "published": "2026-06-10T18:16:40.113", "references": [{"source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "url": "https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596"}], "sourceIdentifier": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "7d616e1a-3288-43b1-a0dd-0a65d3e70a49", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,26.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ScreenConnect", "source": "cna", "vendor": "ConnectWise"}, "product": "screenconnect", "vendor": "connectwise"}], "created": "2026-06-10T19:30:36.816893+00:00", "updated": "2026-06-10T19:30:36.816940+00:00", "vendors": ["connectwise", "connectwise$PRODUCT$screenconnect"]}