This vulnerability (CWE-1284) affects ScreenConnect versions before 26.2 and arises from insufficient validation of the quantity input during Host Pass creation. An authenticated user with the necessary privileges can generate delegated access tokens with expiration durations exceeding the intended maximum, potentially extending access beyond policy limits. The CVSS 3.1 base score is 4.7, reflecting a network attack vector with low complexity but requiring high privileges and no user interaction, impacting confidentiality, integrity, and availability at a low level.

The impact is limited to authenticated users who have Host Pass creation privileges. They can create delegated access tokens with extended expiration times, potentially increasing the window for unauthorized access if those tokens are misused. The confidentiality, integrity, and availability impacts are rated low according to the CVSS score. There are no known exploits in the wild.

No official patch or remediation guidance has been published yet. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict Host Pass creation privileges to trusted users only and monitor token usage closely to detect any anomalies.