Cyber Resilience

CVE-2026-1693

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Clear
EPSS Score 0.0006 19.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1693 is a medium-severity Use of Obsolete Function (CWE-477) vulnerability in Arcinformatique Pcvue. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2026-1693 is a vulnerability in the PcVue application, affecting versions 12.0.0 through 16.3.3 inclusive. It stems from the continued use of the deprecated OAuth grant type Resource Owner Password Credentials (ROPC) flow in the web services supporting the WebVue, WebScheduler, TouchVue, and Snapvue features. This insecure authentication mechanism, associated with CWE-477 (Insecure Use of OAuth) and CWE-1390 (Weak Authentication), could enable a remote attacker to steal user credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

A remote attacker with network access to the affected PcVue instance can exploit this vulnerability without authentication. By leveraging the ROPC flow's transmission of usernames and passwords in requests to the web services, the attacker could intercept or extract credentials, potentially gaining unauthorized access to user accounts and associated resources within the PcVue environment.

The vendor has published a security bulletin at https://www.pcvue.com/security/#SB2026-2 addressing this issue, which security practitioners should consult for details on available patches or mitigation steps. The CVE was published on 2026-02-26.

EU & UK References

Vulnerability details

The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a…

more

remote attacker to steal user credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability is a remote unauthenticated flaw in public-facing web services (ROPC OAuth) directly enabling exploitation via T1190 and resulting in exposure of credentials matching T1552.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-40554Shared CWE-1390
CVE-2025-12870Shared CWE-1390
CVE-2023-53894Shared CWE-1390
CVE-2026-4828Shared CWE-1390
CVE-2025-40552Shared CWE-1390
CVE-2026-28710Shared CWE-1390
CVE-2026-6886Shared CWE-1390
CVE-2025-1387Shared CWE-1390
CVE-2024-50563Shared CWE-1390
CVE-2025-57713Shared CWE-1390

Affected Assets

arcinformatique
pcvue
12.0.0 — 15.2.13 · 16.0.0 — 16.3.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Directly requires timely remediation of the PcVue vulnerability using deprecated ROPC OAuth flow, as detailed in the vendor security bulletin SB2026-2.

prevent

Protects usernames and passwords transmitted in ROPC flow requests to PcVue web services from interception by remote attackers through enforced confidentiality and integrity.

prevent

Mandates management and protection of authenticators to prohibit insecure practices like the ROPC grant type that exposes user credentials in PcVue web services.

References