Description
A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior.

This vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout
of the WebClient and WebScheduler web apps.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Unauthorized Server Behavior
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a HTTP Host header flaw that is exploitable through the /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout endpoints of the WebClient and WebScheduler web applications in PcVue versions 15.0.0 to 16.3.3. The flaw allows a remote attacker to inject crafted payloads that manipulate server‑side behavior, potentially leading to unauthorized actions or code execution on the control system server. Based on the description, it is inferred that the attacker could achieve unauthorized actions and possibly execute code, although this is not explicitly confirmed.

Affected Systems

Affected products are PcVue control system applications sold by arcinfo and arcinformatique. Version ranges include PcVue 15.0.0 through 16.3.3, inclusive. The vulnerability targets the WebClient and WebScheduler web apps that are deployed on an IIS web server.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate risk, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, meaning no known public exploits have been reported. Exploitation would require network access to the affected web servers and sending malicious Host header values; remediation mainly involves applying the vendor‑provided patch or disabling the vulnerable components.

Generated by OpenCVE AI on April 16, 2026 at 16:07 UTC.

Remediation

Vendor Solution

Harden the configuration Who should apply this recommendation: All users To reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures: * Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks. * Locate control system networks and remote devices behind firewalls and isolate them from business networks. * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. Uninstall the Web Server Who should apply this recommendation: All users not using the affected component If your system does not require the use of the Web & Mobile features, you should make sure not to install them. If your system requires the use of the Web & Mobile features, they should be installed only on the Web Server. See the product help related to the installation for more information. Update the Web Deployment Console (WDC) and re deploy the Web Server Who should apply this recommendation: All users running affected components. Install a patched release of the Web Deployment Console (WDC) on the IIS Web server and use it to re-deploy the Web Site. Some settings might need to be updated if third-party web apps or services depend on the OAuth ROPC flow. In a patched release of the WDC, new settings are available for each authorized Client to enable or disable: * The Authorization Code flow * The Authorization Code flow with PKCE * The Resource Owner Password Credentials (ROPC) flow By default, all the OAuth flows are now disabled for third-party web apps and need to be manually enabled before deployment if required. To verify that the patch is applied correctly, you must check that: * The File version property of the file ./bin/Modules/WebDeployment/WebDeploymentConsole.exe matches the deployed release or later, and ensure that any earlier release is no longer used; * Web Sites have been redeployed; * OAuth flow are correctly set for each authorized Client. Available patches: Patch provided in: * PcVue 16.3.4 (16.3.4902.3112) * PcVue 15.2.14 (15.2.14900.37147)

OpenCVE Recommended Actions

  • Upgrade to the patched Web Deployment Console (PcVue 16.3.4 or 15.2.14) on the IIS web server and redeploy the web site, making sure OAuth flows are correctly configured.
  • If the Web & Mobile features are not required, uninstall the Web Server component; otherwise, install it only on the dedicated Web Server as advised by the vendor.
  • Minimize network exposure for control system devices, isolate remote access behind firewalls, and use secure VPN connections when remote access is necessary.

Generated by OpenCVE AI on April 16, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.pcvue.com/security/#SB2026-2 cve-icon cve-icon
History

Thu, 12 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Arcinformatique
Arcinformatique pcvue
CPEs cpe:2.3:a:arcinformatique:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinformatique
Arcinformatique pcvue
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Description A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior. This vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout of the WebClient and WebScheduler web apps.
Title HTTP Host header vulnerability in WebClient and WebScheduler web apps
First Time appeared Arcinfo
Arcinfo pcvue
Weaknesses CWE-644
CPEs cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*
Vendors & Products Arcinfo
Arcinfo pcvue
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N/AU:Y/R:U/RE:M/U:Clear'}

Subscriptions

Arcinfo Pcvue
Arcinformatique Pcvue
cve-icon MITRE

Status: PUBLISHED

Assigner: arcinfo

Published:

Updated: 2026-03-26T08:25:09.394Z

Reserved: 2026-01-30T08:38:11.209Z

Link: CVE-2026-1698

cve-icon Vulnrichment

Updated: 2026-02-26T14:30:14.904Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T08:16:19.897

Modified: 2026-03-12T14:30:52.183

Link: CVE-2026-1698

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:15:08Z

Weaknesses