PcVue, Host Header Injection, CVE-2026-1698 (Medium)

Listen to this Post

This vulnerability is an HTTP Host header attack, classified under CWE-644, which affects the PcVue WebClient and WebScheduler web applications . The core issue is that the application fails to properly neutralize the HTTP Host header, allowing an attacker to inject harmful payloads. Specifically, the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and `/Authentication/Logout` do not validate or sanitize the Host header value. A remote attacker can craft a malicious link that, when clicked by an authenticated user, sends a request with a manipulated Host header to the server. The server, trusting this header, may then generate responses that lead to actions like cache poisoning, password reset poisoning, or the leakage of authentication secrets. The attack vector is network-based, requires no privileges, but depends on user interaction (e.g., clicking a link). The CVSS v4.0 score is 5.3 (Medium), indicating a moderate risk with low impact on confidentiality and integrity, but no impact on availability .

dailycve form:

Platform: PcVue Web Apps
Version: 15.0.0-16.3.3
Vulnerability : Host Header Injection
Severity: Medium (CVSS 5.3)
date: 2026-02-26

Prediction: 2026-Q2 (v15.2.14)

What Undercode Say:

Analytics

The vulnerability is present in all versions from 15.0.0 up to and including 16.3.3. According to the vendor’s security bulletin, a fix is already available in version 16.3.4, and a patch for the 15.2 branch (version 15.2.14) is planned . Given the specific nature of the attack (targeting authentication endpoints) and the requirement for user interaction, widespread automated exploitation is less likely, but targeted phishing campaigns against industrial control system (ICS) personnel pose a significant risk. The countries most likely affected by this vulnerability include the United States, France, Germany, and other nations with heavy industrial automation infrastructure .

Bash Commands / Code

The following commands can be used to test for the vulnerability by manipulating the Host header in a request to one of the affected endpoints.

Example 1: Basic Host header injection test using curl
Replace <PCVUE_SERVER_IP> with the target's IP and <ATTACKER_SITE.com> with your test server.
curl -H "Host: <ATTACKER_SITE.com>" \
"http://<PCVUE_SERVER_IP>/Authentication/ExternalLogin"
Example 2: Attempting to poison a password reset request (hypothetical)
curl -X POST \
-H "Host: <ATTACKER_SITE.com>" \
-d "username=admin" \
"http://<PCVUE_SERVER_IP>/Authentication/Logout"
Example 3: Using a Python script to send a malicious request
python3 << EOF
import requests
url = "http://<PCVUE_SERVER_IP>/Authentication/AuthorizationCodeCallback"
headers = {"Host": "<ATTACKER_SITE.com>"}
response = requests.get(url, headers=headers, allow_redirects=False)
if response.status_code == 302:
location = response.headers.get('Location')
if '<ATTACKER_SITE.com>' in location:
print("[+] Vulnerability confirmed: Redirect location contains attacker domain.")
else:
print("[-] Not vulnerable or patched.")
EOF

How Exploit

  1. Reconnaissance: The attacker identifies a PcVue server running a vulnerable version (15.0.0 to 16.3.3) with the WebClient or WebScheduler application exposed.
  2. Craft Payload: The attacker crafts a malicious URL pointing to one of the three vulnerable endpoints (e.g., /Authentication/ExternalLogin). The URL appears legitimate (pointing to the victim’s server), but the attacker prepares to control the `Host` header. In a real attack, this is often delivered via a link in a phishing email.
  3. Delivery: The attacker tricks a user who is already authenticated with the PcVue web app into clicking the link.
  4. Injection: The user’s browser sends a request to the vulnerable PcVue server. The request includes the attacker’s malicious `Host` header value (e.g., Host: attacker.com).
  5. Manipulation: The server, failing to validate the header, uses this value to construct a dynamic link or response (e.g., a redirect for authentication or a link in a logout confirmation email). The server sends this response back to the user’s browser or, in the case of email-based poisoning, to the user’s inbox.
  6. Impact: The manipulated response can lead to various outcomes. For example, a poisoned password reset email containing a link to `attacker.com` could capture the user’s reset token. A poisoned redirect could send the user’s authentication credentials to the attacker’s server.

Protection from this CVE

  1. Apply Patches: Upgrade to PcVue version 16.3.4 or wait for and apply version 15.2.14 as soon as it is released .
  2. Web Application Firewall (WAF): Deploy or configure a WAF to inspect and filter outbound and inbound traffic. Create custom rules to block requests to the vulnerable endpoints (/Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, /Authentication/Logout) that contain unexpected or modified Host headers.
  3. Input Validation: As a temporary mitigation, if patching is not immediately possible, configure the hosting web server (IIS) to reject requests where the Host header does not match a predefined list of legitimate server names.
  4. User Education: Train users with access to PcVue web interfaces to be cautious of unsolicited links and to manually type the server address into their browser rather than clicking links from emails.

Impact

Successful exploitation allows an attacker to manipulate server-side behavior, potentially leading to:
– Password Reset Poisoning: An attacker can poison the password reset functionality to send a valid reset link to their own server, allowing them to take over a user’s account.
– Cache Poisoning: By poisoning the Host header, an attacker could cause the web cache to store a page that redirects users to a malicious site, affecting multiple users.
– Authentication Bypass/Leakage: By controlling the Host header in authentication redirects, an attacker could potentially leak authorization codes or tokens to their own domain, compromising user sessions and data confidentiality . The impact is limited to the authentication workflow, but a compromised user account in an industrial control system context could lead to significant operational disruptions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top