CVE-2026-1693
Published: 26 February 2026
Summary
CVE-2026-1693 is a high-severity Use of Obsolete Function (CWE-477) vulnerability in Arcinformatique Pcvue. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Helps detect exploitation of weak authentication mechanisms by notifying of previous unauthorized logons.
The IA policy requires strong authentication methods, reducing use of weak authentication.
Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions.
Enforces authentication for users, reducing the viability of weak authentication mechanisms.
Requires authentication mechanisms to meet applicable standards and guidelines, preventing weak authentication.
Institutionalized information sharing keeps developers aware of obsolete functions and the need to replace them with supported alternatives.
Regular reassessment flags use of obsolete functions whose security properties have degraded or whose replacements contain fixes for known weaknesses.
Eliminates reliance on functions or components explicitly declared obsolete and unsupported by their maintainers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a remote unauthenticated flaw in public-facing web services (ROPC OAuth) directly enabling exploitation via T1190 and resulting in exposure of credentials matching T1552.
NVD Description
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a…
more
remote attacker to steal user credentials.
Deeper analysisAI
CVE-2026-1693 is a vulnerability in the PcVue application, affecting versions 12.0.0 through 16.3.3 inclusive. It stems from the continued use of the deprecated OAuth grant type Resource Owner Password Credentials (ROPC) flow in the web services supporting the WebVue, WebScheduler, TouchVue, and Snapvue features. This insecure authentication mechanism, associated with CWE-477 (Insecure Use of OAuth) and CWE-1390 (Weak Authentication), could enable a remote attacker to steal user credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
A remote attacker with network access to the affected PcVue instance can exploit this vulnerability without authentication. By leveraging the ROPC flow's transmission of usernames and passwords in requests to the web services, the attacker could intercept or extract credentials, potentially gaining unauthorized access to user accounts and associated resources within the PcVue environment.
The vendor has published a security bulletin at https://www.pcvue.com/security/#SB2026-2 addressing this issue, which security practitioners should consult for details on available patches or mitigation steps. The CVE was published on 2026-02-26.
Details
- CWE(s)