VYPR
← All advisories
Medium severity4.7NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-11596

CVE-2026-11596

Description

ScreenConnect allows authenticated users to create delegated access tokens with extended expiration durations due to insufficient input validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ScreenConnect allows authenticated users to create delegated access tokens with extended expiration durations due to insufficient input validation.

Vulnerability

In ScreenConnect versions prior to 26.2, insufficient server-side validation of token lifetime constraints allows an authenticated user with Host Pass creation privileges to specify a token expiration duration beyond the intended maximum when generating delegated access tokens [1].

Exploitation

An attacker with authenticated access and Host Pass creation privileges can exploit this vulnerability by generating delegated access tokens with expiration durations exceeding intended limits. This requires no user interaction and can be performed remotely [1].

Impact

Successful exploitation allows delegated access tokens to remain valid longer than intended, potentially leading to unauthorized access or extended compromise of the affected system. The impact includes limited information disclosure, modification, and denial of service [1].

Mitigation

ScreenConnect version 26.2, released April 29, 2026, fully patches this issue. Cloud-hosted ScreenConnect servers have been automatically updated. On-premises installations must be upgraded to version 26.2 or later. Partners using Automate integration should apply the update via the Automate Product Updates page [1].

References
  1. Disclosures/CVE-2026-11596 at main · ConnectWise-Advisories/Disclosures

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.