CVE-2026-11596: ScreenConnect Host Pass Token Expiration Bypass (MEDIUM, 4.7)
ScreenConnect versions before 26.2 contain a weakness in how it validates input when administrators or authorized users create Host Pass tokens—special access credentials that grant temporary delegated access. An authenticated user with Host Pass creation privileges can bypass the intended expiration time limits and specify tokens that remain valid far longer than intended, potentially allowing extended unauthorized access to systems after the token should have expired.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-1284
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
In ScreenConnect™ versions prior to 26.2, input validation within the Host Pass creation functionality could allow an authenticated user with Host Pass creation privileges the ability to specify a token expiration duration beyond the intended maximum when generating delegated access tokens.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient input validation in the Host Pass creation functionality. The flaw permits authenticated users holding Host Pass creation permissions to circumvent controls on token expiration duration. By specifying an expiration value beyond the designed maximum threshold, an attacker with adequate privileges can generate delegated access tokens with extended validity windows. This affects ScreenConnect versions prior to 26.2. The issue is classified under CWE-1284 (Improper Validation of Specified Quantity in Input), indicating that the application fails to properly constrain the duration parameter to its intended bounds.
Business impact
This vulnerability creates insider risk and privilege-escalation exposure. If a privileged user—such as an IT administrator or support engineer—creates Host Pass tokens with extended expiration windows, those tokens remain valid longer than organizational access policies permit. This extends the window for token misuse, interception, or unauthorized delegation. In environments where Host Pass tokens are shared or cached, longer validity periods increase the likelihood that a compromised or stolen token will remain exploitable. The impact depends on whether affected tokens grant access to sensitive systems or customer environments.
Affected systems
ScreenConnect versions prior to 26.2 are affected. Organizations should check their current deployment version immediately. The vendor has not indicated broader impact across different product lines or platform variants based on available information.
Exploitability
Exploitation requires that an attacker already possess valid credentials and explicit Host Pass creation privileges—a relatively high barrier. The attack does not require user interaction or network-level complexity; once authenticated, the attacker can simply craft a token creation request with an out-of-bounds expiration parameter. The ease of execution is moderate once authentication is obtained. No public exploits have been designated for active exploitation at this time.
Remediation
Organizations running ScreenConnect should upgrade to version 26.2 or later, which includes corrected input validation for Host Pass token creation. Pending patching, consider restricting Host Pass creation privileges to only essential personnel and implementing additional monitoring or audit logging for token creation events to detect unusual expiration values.
Patch guidance
Upgrade ScreenConnect to version 26.2 or later. Verify patch deployment by checking the application version in the administrative console or via vendor-supplied verification tools. Test the upgrade in a non-production environment first to confirm compatibility with your deployment. Once patched, validate that Host Pass token creation now properly enforces expiration duration limits and rejects out-of-bounds values.
Detection guidance
Monitor ScreenConnect audit logs for Host Pass token creation events that specify unusually long expiration durations. Compare the requested expiration value against your organization's policy maximum and flag anomalies. Examine existing tokens in your ScreenConnect environment and verify their expiration dates align with issued policies—tokens with far-future expiration dates may indicate prior exploitation. Look for Host Pass creation requests from privileged accounts during unusual hours or from unexpected sources as a behavioral indicator.
Why prioritize this
This vulnerability warrants priority patching despite its medium CVSS score because it directly affects access control and token longevity—core security mechanisms in remote support scenarios. The authenticated nature of the attack reduces immediate external risk, but the privileged context means internal threats or compromised administrative accounts can cause harm with extended impact. Organizations managing customer access via ScreenConnect should treat this as higher priority than the base score alone suggests.
Risk score, explained
The CVSS 3.1 score of 4.7 (MEDIUM) reflects a vulnerability requiring high-level privileges to exploit (PR:H) with no user interaction needed (UI:N). The impact is limited to confidentiality, integrity, and availability at a low level (each scored L), and the scope is unchanged (S:U). The score appropriately captures that this is not a critical remote code execution flaw, but rather a boundary-condition control bypass that requires existing privileged access. However, the extended token validity risk and potential for privilege persistence justify treating it as higher priority in practice, particularly in managed service or customer-facing deployments.
Frequently asked questions
What is a Host Pass token in ScreenConnect?
A Host Pass token is a delegated access credential that grants temporary, time-limited access to a ScreenConnect system. It allows authenticated users with appropriate privileges to generate and distribute access tokens for remote support, customer access, or administrative tasks without sharing permanent credentials. Token expiration is a critical control to limit the window of exposure.
Can an attacker exploit this without already being inside our ScreenConnect environment?
No. This vulnerability requires that an attacker already possess valid ScreenConnect credentials and specifically hold Host Pass creation privileges. It does not enable initial access or bypass authentication. However, if your ScreenConnect environment is internet-facing or if an internal user becomes compromised, this flaw allows them to extend token validity beyond intended policy.
How do I know if someone has exploited this in our environment?
Review your ScreenConnect audit logs for Host Pass token creation events. Check the expiration date values assigned to tokens created prior to patching and compare them against your policy. Tokens with expiration dates far in the future may indicate exploitation. Additionally, if you notice unexpected or persistent access from Host Pass tokens after their documented expiration, that is a red flag.
Do we need to revoke existing Host Pass tokens after patching?
Yes, it is prudent to audit and revoke any Host Pass tokens created before you deployed version 26.2, especially those with expiration dates beyond your organization's policy window. After patching, the application will prevent future tokens from exceeding the limit, but previously issued tokens remain valid until their specified expiration unless manually revoked.
This analysis is based on the published CVE record and vendor information available as of the knowledge cutoff date. Organizations should verify current patch availability and compatibility with their specific ScreenConnect deployment. No exploitation in the wild is documented at this time, but threat actors may develop exploits as patch adoption accelerates. Always test patches in a controlled environment before production deployment. This advisory does not constitute legal or compliance advice; consult your organization's security and legal teams regarding remediation timelines based on your risk posture and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-52905MEDIUMLinux Kernel DAMON Invalid Region Size Denial of Service
- CVE-2026-9801MEDIUMKeycloak LDAP OutOfMemoryError Denial of Service
- CVE-2026-47329LOWUbuntu Linux AppArmor Notification Validation Flaw
- CVE-2026-53689HIGHlibnfs Integer Overflow in String Validation
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)