mediumCVE-2026-14867

CVE-2026-14867 PcVue vulnerability

Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials. Active Directory accounts are not affected by this vulnerability.

ProductPcVue
CVSS6.8
EPSS0.00092
UpdatedJuly 12, 2026

Quick answer

PcVue should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • PcVue versions prior to 17.0.0

Fixed versions

  • 17.0.0

How to fix it

CVE-2026-14867 affects ARC Informatique PcVue projects where built-in user credentials are insecurely stored in the PcVue project User directory, allowing a local attacker to retrieve credentials; Active Directory accounts are not affected. Prioritize engineering workstations, SCADA/HMI project repositories, shared project folders, and systems where local users can access the PcVue project User directory. PcVue lists the issue as fixed in version 17.0.0. Until upgraded, restrict local project access and prefer centrally managed accounts where possible.

  1. Inventory PcVue project files, engineering stations, runtime servers, backup copies, and shared folders that contain built-in user directories.
  2. Identify PcVue versions prior to 17.0.0 and plan an upgrade to PcVue 17.0.0 or a later supported release.
  3. Upgrade PcVue through the vendor-supported process and validate project compatibility in a controlled maintenance window before production rollout.
  4. Restrict local filesystem access to project User directories, remove unnecessary shared access, and prefer Active Directory accounts where feasible.
  5. Review built-in user accounts, roles, project permissions, and local administrator access on engineering and runtime hosts.
  6. Review file access logs, project history, backups, and account changes for unauthorized reads, credential retrieval, or modified user configuration.
  7. If credential exposure or privilege misuse is suspected, rotate built-in credentials, replace compromised project files from trusted backups, and preserve evidence.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm PcVue projects and runtime systems are running version 17.0.0 or a later supported release.
  • Confirm built-in user credentials are no longer recoverable from project User directories and Active Directory-backed accounts remain in use where possible.
  • Confirm only authorized administrators can access PcVue project User directories and backups that contain account configuration.
  • Validate project login, role assignment, runtime operation, and Active Directory integration after upgrade.
  • Document patched versions, project validation, access-control changes, credential rotation, and retained evidence.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-14867?

PcVue versions listed as affected should be reviewed: PcVue versions prior to 17.0.0.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.