CVE-2026-1693
Deprecated OAuth ROPC Flow in PcVue Enables Credential Theft
Publication date: 2026-02-26
Last updated on: 2026-03-12
Assigner: arcinfo
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arcinformatique | pcvue | From 16.0.0 (inc) to 16.3.4 (exc) |
| arcinformatique | pcvue | From 12.0.0 (inc) to 15.2.13 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
| CWE-477 | The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the continued use of the OAuth grant type called Resource Owner Password Credentials (ROPC) flow in certain web services of PcVue versions 12.0.0 through 16.3.3. Although this flow has been deprecated, it is still used by features such as WebVue, WebScheduler, TouchVue, and Snapvue. Because of this, a remote attacker might be able to steal user credentials.
How can this vulnerability impact me? :
The vulnerability could allow a remote attacker to steal user credentials. This means unauthorized parties might gain access to user accounts, potentially leading to unauthorized access to sensitive information or systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know