Description
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.

This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Compromise of authenticated user session via missing WebSocket origin validation leading to phishing
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a missing origin validation on the WebSocket endpoints GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect used by PcVue web services. An attacker could lure an authenticated user to a malicious website, leading to potential phishing of credentials or other sensitive information. The flaw does not grant direct code execution but could allow unauthorized access to user‑specific data or services, especially if users act on deceptive links. This weakness aligns with CWE‑1385, reflecting improper origin validation.

Affected Systems

Arcinfo PcVue systems with versions 12.0.0 through 16.3.3 are affected. The official fix is available in PcVue 16.3.4 (16.3.4902.3112) and PcVue 15.2.14 (15.2.14900.37147). Versions outside this range are not impacted, and non‑Web Server components can safely remain installed if unused.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate overall risk, and the EPSS score is below 1%, implying a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote through WebSocket connections, typically requiring the system to be reachable over a network where a user is authenticated and may be tricked into visiting a malicious site. Based on the description, credential theft is an inference; the primary risk is phishing of the authenticated user, which might lead to credential leakage if the user discloses information. The impact could extend to unauthorized access if credentials are compromised, but this is contingent on user behavior and system configuration.

Generated by OpenCVE AI on April 16, 2026 at 16:09 UTC.

Remediation

Vendor Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

OpenCVE Recommended Actions

  • Uninstall the Web Server component if the system does not require Web & Mobile features.
  • Install the patched Web Deployment Console (WDC) version 16.3.4 (or 15.2.14) on the IIS Web server and redeploy the Web Site, ensuring the file version matches the deployed release.
  • Disable the OAuth flows by default, reconfiguring authorized clients to enable only the necessary flows after redeployment.
  • Limit network exposure for control system devices, placing them behind firewalls, isolating them from business networks, and using VPNs for remote access where necessary.

Generated by OpenCVE AI on April 16, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.pcvue.com/security/#SB2026-2 cve-icon cve-icon
History

Thu, 12 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Arcinformatique
Arcinformatique pcvue
CPEs cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinformatique
Arcinformatique pcvue
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website. This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
Title Missing origin validation in GraphicalData web service requests
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-1385
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
cpe:2.3:a:arcinfo:pcvue:12.0.0:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear'}

Subscriptions

Arcinfo Pcvue
Arcinformatique Pcvue
cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-03-26T08:21:34.229Z

Reserved: 2026-01-30T08:37:33.143Z

Link: CVE-2026-1692

cve-icon Vulnrichment

Updated: 2026-02-26T14:23:16.660Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T08:16:18.160

Modified: 2026-03-12T14:20:44.147

Link: CVE-2026-1692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses