CVE-2026-1693
Published: 26 February 2026
Summary
CVE-2026-1693 is a medium-severity Use of Obsolete Function (CWE-477) vulnerability in Arcinformatique Pcvue. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2026-1693 is a vulnerability in the PcVue application, affecting versions 12.0.0 through 16.3.3 inclusive. It stems from the continued use of the deprecated OAuth grant type Resource Owner Password Credentials (ROPC) flow in the web services supporting the WebVue, WebScheduler, TouchVue, and Snapvue features. This insecure authentication mechanism, associated with CWE-477 (Insecure Use of OAuth) and CWE-1390 (Weak Authentication), could enable a remote attacker to steal user credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
A remote attacker with network access to the affected PcVue instance can exploit this vulnerability without authentication. By leveraging the ROPC flow's transmission of usernames and passwords in requests to the web services, the attacker could intercept or extract credentials, potentially gaining unauthorized access to user accounts and associated resources within the PcVue environment.
The vendor has published a security bulletin at https://www.pcvue.com/security/#SB2026-2 addressing this issue, which security practitioners should consult for details on available patches or mitigation steps. The CVE was published on 2026-02-26.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8837
Vulnerability details
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a…
more
remote attacker to steal user credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a remote unauthenticated flaw in public-facing web services (ROPC OAuth) directly enabling exploitation via T1190 and resulting in exposure of credentials matching T1552.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the PcVue vulnerability using deprecated ROPC OAuth flow, as detailed in the vendor security bulletin SB2026-2.
Protects usernames and passwords transmitted in ROPC flow requests to PcVue web services from interception by remote attackers through enforced confidentiality and integrity.
Mandates management and protection of authenticators to prohibit insecure practices like the ROPC grant type that exposes user credentials in PcVue web services.