{"api_version":"1","generated_at":"2026-07-14T18:36:00+00:00","cve":"CVE-2026-14868","urls":{"html":"https://cve.report/CVE-2026-14868","api":"https://cve.report/api/cve/CVE-2026-14868.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-14868","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-14868"},"summary":{"title":"Weak encryption mechanism for User directory","description":"The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.","state":"PUBLISHED","assigner":"arcinfo","published_at":"2026-07-07 10:16:40","updated_at":"2026-07-09 18:32:08"},"problem_types":["CWE-326","CWE-326 CWE-326 Inadequate Encryption Strength"],"metrics":[{"version":"4.0","source":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","type":"Secondary","score":"8.4","severity":"HIGH","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}},{"version":"4.0","source":"CNA","type":"CVSS","score":"8.4","severity":"HIGH","vector":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:M/U:Amber","data":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":8.4,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"}},{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}}],"references":[{"url":"https://www.pcvue.com/security/#SB2026-5","name":"https://www.pcvue.com/security/#SB2026-5","refsource":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-14868","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14868","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"arcinfo","product":"PcVue","version":"affected 17.0.0 cpe","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Harden the configuration\nWho should apply this recommendation: All users\n\n\nTo reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:\n\n  *  Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks.\n  *  Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n  *  When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\nAdditional deployment guidance and recommended practices are available in the product documentation ( Hardening Guide https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/hardening-guide/overview.php ).\n\n\nUpdate PcVue\nWho should apply this recommendation: All users using the affected component \n\nApply the corrective update by installing PcVue Initial Release 17.0.0 or later\n\nIn a patched release, it will no longer be possible to load User directory from earlier versions. Existing projects designed with an earlier version require explicit migration using the ProjectUtility CLI tool. Instructions are provided in the product documentation ( Project Utility CLI reference https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/tools/project-utility-cli.php ).\n\nTo verify that the patch is applied correctly, you must check that the File version property of the file ./bin/sv32.exe matches release 17.0.0 (17.0.0902.3726) or later, and ensure that any earlier release is no longer used.\n\n\n\n\nAvailable patches:\nPatch provided in:\n  *  PcVue 17.0.0 (17.0.0902.3726)","time":"","lang":"en"}],"workarounds":[],"exploits":[{"source":"CNA","title":"","value":"No POC available.","time":"","lang":"en"},{"source":"CNA","title":"","value":"Not known to be exploited","time":"","lang":"en"}],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"14868","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"arcinfo","cpe5":"pcvue","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"14868","cve":"CVE-2026-14868","epss":"0.000500000","percentile":"0.000010000","score_date":"2026-07-13","updated_at":"2026-07-14 00:13:16"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-14868","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-07-07T12:07:11.716678Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-07T12:07:31.124Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"affected","product":"PcVue","vendor":"arcinfo","versions":[{"lessThan":"17.0.0","status":"affected","version":"0","versionType":"cpe"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*","versionEndExcluding":"17.0.0","versionStartIncluding":"0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"datePublic":"2026-07-06T22:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all&nbsp;versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application."}],"value":"The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application."}],"exploits":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"No POC available."}],"value":"No POC available."},{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Not known to be exploited"}],"value":"Not known to be exploited"}],"metrics":[{"cvssV4_0":{"Automatable":"YES","Recovery":"USER","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"LOCAL","baseScore":8.4,"baseSeverity":"HIGH","exploitMaturity":"NOT_DEFINED","privilegesRequired":"LOW","providerUrgency":"AMBER","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y/R:U/RE:M/U:Amber","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"MODERATE"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"other":{"content":{"options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CNA","version":"2.0.3"},"type":"ssvc"},"scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-326","description":"CWE-326 Inadequate Encryption Strength","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-07T09:26:55.347Z","orgId":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","shortName":"arcinfo"},"references":[{"tags":["vendor-advisory"],"url":"https://www.pcvue.com/security/#SB2026-5"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<b>Harden the configuration</b><br><u>Who should apply this recommendation:</u> All users<br>\n\nTo reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:\n\n<ul><li>Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks.</li><li>Locate control system networks and remote devices behind firewalls and isolate them from business networks.</li><li>When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.</li></ul><div>Additional deployment guidance and recommended practices are available in the product documentation (<a href=\"https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/hardening-guide/overview.php\">Hardening Guide</a>).</div><br><b>Update PcVue</b><br><u>Who should apply this recommendation:</u> All users using the affected component <br><br>Apply the corrective update by installing PcVue Initial Release 17.0.0 or later\n<br>In a patched release, it will no longer be possible to load User directory from earlier versions. Existing projects designed with an earlier version require explicit migration using the ProjectUtility CLI tool. Instructions are provided in the product documentation (<a href=\"https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/tools/project-utility-cli.php\">Project Utility CLI reference</a>).\n<br>To verify that the patch is applied correctly, you must check that the File version property of the file ./bin/sv32.exe matches release 17.0.0 (17.0.0902.3726) or later, and ensure that any earlier release is no longer used.<br><br><br>\n\n<b>Available patches:</b><br>Patch provided in:<br><ul><li>PcVue 17.0.0 (17.0.0902.3726)</li></ul>"}],"value":"Harden the configuration\nWho should apply this recommendation: All users\n\n\nTo reduce the risk of exploitation, ARC Informatique strongly recommends implementing the following defensive measures:\n\n  *  Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from insecure networks.\n  *  Locate control system networks and remote devices behind firewalls and isolate them from business networks.\n  *  When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\n\nAdditional deployment guidance and recommended practices are available in the product documentation ( Hardening Guide https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/hardening-guide/overview.php ).\n\n\nUpdate PcVue\nWho should apply this recommendation: All users using the affected component \n\nApply the corrective update by installing PcVue Initial Release 17.0.0 or later\n\nIn a patched release, it will no longer be possible to load User directory from earlier versions. Existing projects designed with an earlier version require explicit migration using the ProjectUtility CLI tool. Instructions are provided in the product documentation ( Project Utility CLI reference https://www.pcvue.com/ProductHelp/PcVue/en/Content/Deployment/tools/project-utility-cli.php ).\n\nTo verify that the patch is applied correctly, you must check that the File version property of the file ./bin/sv32.exe matches release 17.0.0 (17.0.0902.3726) or later, and ensure that any earlier release is no longer used.\n\n\n\n\nAvailable patches:\nPatch provided in:\n  *  PcVue 17.0.0 (17.0.0902.3726)"}],"source":{"advisory":"SB2026-5","discovery":"UNKNOWN"},"title":"Weak encryption mechanism for User directory","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","assignerShortName":"arcinfo","cveId":"CVE-2026-14868","datePublished":"2026-07-07T09:26:55.347Z","dateReserved":"2026-07-06T13:45:32.651Z","dateUpdated":"2026-07-07T12:07:31.124Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-07 10:16:40","lastModifiedDate":"2026-07-09 18:32:08","problem_types":["CWE-326","CWE-326 CWE-326 Inadequate Encryption Strength"],"metrics":{"cvssMetricV40":[{"source":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber","baseScore":8.4,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"YES","Recovery":"USER","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}],"ssvcV203":[{"source":"87c8e6ad-f0f5-4ca8-89e2-89f26d6ed932","ssvcData":{"options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CNA","version":"2.0.3"}},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-07T12:07:11.716678Z","id":"CVE-2026-14868","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:arcinfo:pcvue:*:*:*:*:*:*:*:*","versionEndExcluding":"17.0.0","matchCriteriaId":"62062D62-40E8-496A-A847-6D864DDA46C9"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"14868","Ordinal":"1","Title":"Weak encryption mechanism for User directory","CVE":"CVE-2026-14868","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"14868","Ordinal":"1","NoteData":"The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.","Type":"Description","Title":"Weak encryption mechanism for User directory"}]}}}