CVE-2026-1698: PcVue WebClient & WebScheduler RCE Flaw

CVE-2026-1698 Overview

A HTTP Host header attack vulnerability has been identified in PcVue's WebClient and WebScheduler web applications. This vulnerability affects versions 15.0.0 through 16.3.3 and allows remote attackers to inject harmful payloads that manipulate server-side behavior through improper validation of the HTTP Host header.

The vulnerability specifically impacts three authentication-related endpoints: /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout within the WebClient and WebScheduler web applications.

Critical Impact
Remote attackers can exploit HTTP Host header injection to manipulate server-side behavior, potentially leading to cache poisoning, password reset attacks, or redirection to malicious sites during authentication flows.

Affected Products

PcVue WebClient versions 15.0.0 through 16.3.3
PcVue WebScheduler versions 15.0.0 through 16.3.3
Authentication endpoints within affected web applications

Discovery Timeline

February 26, 2026 - CVE-2026-1698 published to NVD
February 26, 2026 - Last updated in NVD database

Technical Details for CVE-2026-1698

Vulnerability Analysis

This HTTP Host header attack vulnerability (CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax) allows attackers to inject malicious values into the HTTP Host header. When the vulnerable PcVue web applications process authentication requests, they fail to properly validate or sanitize the Host header value before using it in server-side operations.

The vulnerability is particularly concerning because it affects authentication-related endpoints. During the authentication flow, applications often use the Host header to generate URLs for redirects, password reset links, or callback URLs. An attacker who can control or influence these URLs could redirect users to malicious sites or intercept authentication tokens.

Root Cause

The root cause of this vulnerability is improper neutralization of HTTP headers for scripting syntax (CWE-644). The WebClient and WebScheduler applications trust the HTTP Host header provided by the client without adequate validation. When this untrusted input is used to construct URLs or influence application behavior, it creates an injection vector for attackers.

The affected endpoints (/Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout) appear to use the Host header value in authentication workflows, potentially for constructing redirect URLs or callback addresses.

Attack Vector

The attack is network-based and requires no authentication to exploit. An attacker can craft malicious HTTP requests with a manipulated Host header targeting the vulnerable authentication endpoints. The attack typically requires some form of user interaction, such as clicking on a malicious link that triggers the authentication flow.

A typical exploitation scenario involves an attacker sending a crafted HTTP request with a malicious Host header value. When the application uses this header to generate redirect URLs during authentication, users may be redirected to attacker-controlled domains, potentially exposing authentication tokens or credentials.

For detailed technical information, refer to the PCVue Security Bulletin SB2026-2.

Detection Methods for CVE-2026-1698

Indicators of Compromise

Unusual or unexpected Host header values in HTTP logs for authentication endpoints
HTTP requests to /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, or /Authentication/Logout with Host headers containing external or suspicious domain names
Authentication redirect URLs pointing to domains other than the legitimate PcVue server
Web server logs showing mismatched Host headers and destination IP addresses

Detection Strategies

Implement web application firewall (WAF) rules to detect and block HTTP requests with malformed or suspicious Host headers
Monitor authentication endpoint access logs for requests with Host headers that don't match expected server names
Deploy anomaly detection to identify authentication flows redirecting to unexpected domains
Review proxy and load balancer logs for Host header manipulation attempts

Monitoring Recommendations

Enable detailed HTTP logging for all PcVue WebClient and WebScheduler authentication endpoints
Configure SIEM rules to alert on Host header anomalies in requests to affected endpoints
Monitor for unusual patterns in authentication callback URLs
Track failed authentication attempts that may indicate exploitation attempts

How to Mitigate CVE-2026-1698

Immediate Actions Required

Update PcVue to a version newer than 16.3.3 where the vulnerability has been patched
Implement strict Host header validation at the web server or reverse proxy level
Configure allowed Host values in web server configuration to reject requests with unexpected Host headers
Review authentication logs for any evidence of prior exploitation attempts

Patch Information

ARC Informatique has released security information regarding this vulnerability in PCVue Security Bulletin SB2026-2. Organizations should consult this bulletin for specific patch versions and upgrade instructions. Apply the latest security updates from the vendor to address this vulnerability.

Workarounds

Configure web servers (IIS, Apache, Nginx) to validate and whitelist allowed Host header values
Implement a reverse proxy that enforces strict Host header policies before requests reach PcVue applications
Use web application firewalls to filter requests with manipulated Host headers to authentication endpoints
Consider restricting network access to authentication endpoints to trusted IP ranges where feasible

bash

# Example: Nginx configuration to validate Host header
server {
    listen 443 ssl;
    server_name pcvue.example.com;
    
    # Reject requests with invalid Host headers
    if ($host !~ ^(pcvue\.example\.com)$) {
        return 444;
    }
    
    # Additional security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
}