{"api_version":"1","generated_at":"2026-06-23T17:40:34+00:00","cve":"CVE-2026-11596","urls":{"html":"https://cve.report/CVE-2026-11596","api":"https://cve.report/api/cve/CVE-2026-11596.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-11596","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-11596"},"summary":{"title":"CVE-2026-11596","description":"In ScreenConnect™ versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.","state":"PUBLISHED","assigner":"ConnectWise","published_at":"2026-06-10 18:16:40","updated_at":"2026-06-10 20:19:35"},"problem_types":["CWE-1284","CWE-1284 CWE-1284 Improper validation of specified quantity in input"],"metrics":[{"version":"3.1","source":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","type":"Secondary","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596","name":"https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596","refsource":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-11596","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11596","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"ConnectWise","product":"ScreenConnect","version":"affected All versions prior to 26.2","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Cloud: No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.\n\n\n\n\n\nOn-prem: Upgrade to ScreenConnect version 26.2 or later.","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Damian West (Austin Group)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"11596","cve":"CVE-2026-11596","epss":"0.002210000","percentile":"0.124910000","score_date":"2026-06-17","updated_at":"2026-06-18 00:11:05"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-11596","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-10T18:18:34.629863Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-10T18:18:41.537Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","modules":["Host Pass"],"product":"ScreenConnect","vendor":"ConnectWise","versions":[{"status":"affected","version":"All versions prior to 26.2"}]}],"credits":[{"lang":"en","type":"finder","value":"Damian West (Austin Group)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In ScreenConnect™ versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.&nbsp;</p>"}],"value":"In ScreenConnect™ versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens."}],"impacts":[{"capecId":"CAPEC-153","descriptions":[{"lang":"en","value":"CAPEC-153 Input Data Manipulation"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-1284","description":"CWE-1284 Improper validation of specified quantity in input","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-10T17:15:07.586Z","orgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","shortName":"ConnectWise"},"references":[{"url":"https://github.com/ConnectWise-Advisories/Disclosures/tree/main/CVE-2026-11596"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p><b>Cloud:&nbsp;</b><span>No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.</span></p>\n\n<p><b>On-prem</b>:&nbsp;<span>Upgrade to ScreenConnect version 26.2 or later.</span></p>"}],"value":"Cloud: No action is required. ScreenConnect servers hosted in the\nScreenConnect cloud environment have been updated to remediate this issue.\n\n\n\n\n\nOn-prem: Upgrade to ScreenConnect version 26.2 or later."}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}}},"cveMetadata":{"assignerOrgId":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","assignerShortName":"ConnectWise","cveId":"CVE-2026-11596","datePublished":"2026-06-10T17:15:07.586Z","dateReserved":"2026-06-08T14:17:16.449Z","dateUpdated":"2026-06-10T18:18:41.537Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-10 18:16:40","lastModifiedDate":"2026-06-10 20:19:35","problem_types":["CWE-1284","CWE-1284 CWE-1284 Improper validation of specified quantity in input"],"metrics":{"cvssMetricV31":[{"source":"7d616e1a-3288-43b1-a0dd-0a65d3e70a49","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":1.2,"impactScore":3.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"11596","Ordinal":"1","Title":"CVE-2026-11596","CVE":"CVE-2026-11596","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"11596","Ordinal":"1","NoteData":"In ScreenConnect™ versions prior to 26.2, input\nvalidation within the Host Pass creation functionality could allow an\nauthenticated user with Host Pass creation privileges the ability to specify a\ntoken expiration duration beyond the intended maximum when generating delegated\naccess tokens.","Type":"Description","Title":"CVE-2026-11596"}]}}}