{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-11596","assignerOrgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","state":"PUBLISHED","assignerShortName":"ConnectWise","dateReserved":"2026-06-08T14:17:16.449Z","datePublished":"2026-06-10T17:15:07.586Z","dateUpdated":"2026-06-10T18:18:41.537Z"},"containers":{"cna":{"providerMetadata":{"orgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","shortName":"ConnectWise","dateUpdated":"2026-06-10T17:15:07.586Z"},"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-1284","description":"CWE-1284 Improper validation of specified quantity in input","type":"CWE"}]}],"impacts":[{"capecId":"CAPEC-153","descriptions":[{"lang":"en","value":"CAPEC-153 Input Data Manipulation"}]}],"affected":[{"vendor":"ConnectWise","product":"ScreenConnect","modules":["Host Pass"],"versions":[{"status":"affected","version":"All versions prior to 26.2"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"In ScreenConnect™ versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>In ScreenConnect™ versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.&nbsp;</p>"}]}],"references":[{"url":"https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW","baseSeverity":"MEDIUM","baseScore":4.7,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"}}],"solutions":[{"lang":"en","value":"Cloud: No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.\n\n\n\n\n\nOn-prem: Upgrade to ScreenConnect version 26.2 or later.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p><b>Cloud:&nbsp;</b><span>No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.</span></p>\n\n<p><b>On-prem</b>:&nbsp;<span>Upgrade to ScreenConnect version 26.2 or later.</span></p>"}]}],"credits":[{"lang":"en","value":"Damian West (Austin Group)","type":"finder"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-10T18:18:34.629863Z","id":"CVE-2026-11596","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-10T18:18:41.537Z"}}]}}