CVE-2026-14868 PcVue vulnerability
The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.
Quick answer
PcVue should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- PcVue versions prior to 17.0.0
Fixed versions
- 17.0.0
How to fix it
CVE-2026-14868 affects ARC Informatique PcVue projects where weak encryption protects built-in user directory account configuration, allowing a local attacker to alter configuration and gain privileged PcVue access. Prioritize engineering workstations, SCADA/HMI project repositories, shared project folders, and systems where local users can access the PcVue project User directory. PcVue lists the issue as fixed in version 17.0.0. Until upgraded, restrict local project access and prefer centrally managed accounts where possible.
- Inventory PcVue project files, engineering stations, runtime servers, backup copies, and shared folders that contain built-in user directories.
- Identify PcVue versions prior to 17.0.0 and plan an upgrade to PcVue 17.0.0 or a later supported release.
- Upgrade PcVue through the vendor-supported process and validate project compatibility in a controlled maintenance window before production rollout.
- Restrict local filesystem access to project User directories, remove unnecessary shared access, and prefer Active Directory accounts where feasible.
- Review built-in user accounts, roles, project permissions, and local administrator access on engineering and runtime hosts.
- Review file access logs, project history, backups, and account changes for unauthorized reads, credential retrieval, or modified user configuration.
- If credential exposure or privilege misuse is suspected, rotate built-in credentials, replace compromised project files from trusted backups, and preserve evidence.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm PcVue projects and runtime systems are running version 17.0.0 or a later supported release.
- Confirm projects run on PcVue 17.0.0 or later and built-in user directory configuration is protected by the remediated storage format.
- Confirm only authorized administrators can access PcVue project User directories and backups that contain account configuration.
- Validate project login, role assignment, runtime operation, and Active Directory integration after upgrade.
- Document patched versions, project validation, access-control changes, credential rotation, and retained evidence.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-14868?
PcVue versions listed as affected should be reviewed: PcVue versions prior to 17.0.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
