CVE-2026-1692 identifies a missing origin validation vulnerability in the WebSocket implementation of arcinfo's PcVue software, versions 12.0.0 through 16.3.3. The affected components are the GraphicalData web services utilized by the WebVue, WebScheduler, TouchVue, and SnapVue features. Specifically, the vulnerability exists in two WebSocket endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect. Origin validation is a critical security control that ensures WebSocket connections originate from trusted sources; its absence allows attackers to bypass same-origin policies. In this case, a remote attacker can lure an authenticated user to a malicious website that initiates a WebSocket connection to the vulnerable PcVue service, potentially hijacking the session or performing unauthorized actions through the user's authenticated context. The vulnerability does not require authentication or privileges on the attacker’s part but does require user interaction (visiting a malicious site). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, and low confidentiality and integrity impact. No public exploits are currently known, but the affected PcVue versions are widely used in industrial control and building automation environments, increasing the risk of targeted attacks. The vulnerability is classified under CWE-1385, highlighting missing origin validation in WebSockets as the root cause.

The vulnerability could allow attackers to perform cross-origin WebSocket attacks against PcVue users, potentially leading to unauthorized command execution or data manipulation within the affected industrial or building management systems. This could disrupt operational processes, cause data integrity issues, or enable further lateral movement within critical infrastructure networks. Since PcVue is used globally in industrial automation, exploitation could impact manufacturing plants, utilities, and smart building environments, leading to operational downtime or safety risks. The requirement for user interaction limits mass exploitation but targeted spear-phishing or watering hole attacks could be effective. The medium CVSS score reflects moderate confidentiality and integrity impact with no direct availability impact. However, in critical infrastructure contexts, even moderate integrity compromises can have severe real-world consequences. Organizations relying on PcVue should consider this vulnerability a significant risk to operational technology security.

Organizations should immediately assess their PcVue deployments to identify affected versions (12.0.0 through 16.3.3). Since no patches are currently listed, mitigating controls include restricting access to the GraphicalData/js/signalR/connect and reconnect endpoints via network segmentation and firewall rules to limit exposure to trusted networks only. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious WebSocket connection attempts from untrusted origins. Educate users about the risks of visiting untrusted websites to reduce the likelihood of social engineering attacks. Monitor network traffic for anomalous WebSocket connections and implement logging to detect potential exploitation attempts. Coordinate with arcinfo for timely patch releases and apply updates as soon as they become available. Additionally, consider deploying multi-factor authentication and session management enhancements to reduce the impact of session hijacking attempts.