CVE-2026-1693 identifies a security weakness in arcinfo's PcVue software, specifically versions 12.0.0 through 16.3.3, where the OAuth Resource Owner Password Credentials (ROPC) grant type is still employed in the web services supporting WebVue, WebScheduler, TouchVue, and Snapvue features. The ROPC flow is deprecated due to its inherent security risks, primarily because it requires users to provide their credentials directly to the client application, increasing the risk of credential exposure. In this case, the continued use of ROPC allows a remote attacker to potentially intercept or steal user credentials by exploiting the weak authentication mechanism. The vulnerability does not require the attacker to have privileges or prior authentication, but user interaction is necessary, such as tricking a user into initiating the authentication process. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering network attack vector, low complexity, no privileges required, but user interaction needed, and limited impact on confidentiality. The vulnerability affects the confidentiality of user credentials but does not directly impact integrity or availability of the system. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-1390 (Weak Authentication) and CWE-477 (Use of Obsolete or Deprecated Function).

The primary impact of CVE-2026-1693 is the potential compromise of user credentials for PcVue's web-based features, which could lead to unauthorized access to the affected systems. Credential theft can enable attackers to impersonate legitimate users, escalate privileges, and potentially manipulate industrial control processes managed by PcVue. This could result in operational disruptions, data breaches, and loss of control over critical infrastructure components. Since PcVue is widely used in industrial automation, building management, and critical infrastructure sectors, the impact could extend to safety risks and significant financial losses. The medium severity rating indicates a moderate risk, but the ease of exploitation due to no privileges required and network accessibility increases the urgency for mitigation. The lack of known exploits in the wild suggests the threat is currently theoretical but could become practical if attackers develop exploit techniques. Organizations relying on PcVue should consider the risk of credential compromise as a gateway to broader attacks on their operational technology environments.

To mitigate CVE-2026-1693, organizations should immediately assess their PcVue deployments to identify affected versions (12.0.0 through 16.3.3) and the use of WebVue, WebScheduler, TouchVue, and Snapvue features. Since no official patches are currently available, the primary mitigation is to disable or replace the OAuth ROPC grant type with more secure OAuth flows such as Authorization Code Grant with PKCE or Client Credentials Grant, which do not expose user credentials directly. Network segmentation and strict access controls should be enforced to limit exposure of PcVue web services to trusted networks only. Implement multi-factor authentication (MFA) where possible to reduce the risk of credential misuse. Monitor authentication logs for suspicious activities indicative of credential theft attempts. Educate users about phishing and social engineering risks that could trigger user interaction exploitation. Engage with arcinfo support for updates or patches addressing this vulnerability. Consider deploying web application firewalls (WAFs) to detect and block anomalous authentication requests targeting these services.