CVE-2026-1693
Received
Received - Intake
Deprecated OAuth ROPC Flow in PcVue Enables Credential Theft
Publication date: 2026-02-26
Last updated on: 2026-03-12
Assigner: arcinfo
Description
Description
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arcinformatique | pcvue | From 16.0.0 (inc) to 16.3.4 (exc) |
| arcinformatique | pcvue | From 12.0.0 (inc) to 15.2.13 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-477 | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
