CVE-2026-35383

MEDIUM

Bentley Systems iTwin Platform exposed access token

Title source: cna

Description

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

References (3)

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json

https://www.cve.org/CVERecord?id=CVE-2026-35383

https://cesium.com/learn/ion/cesium-ion-access-tokens/

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 14.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Details

CWE

CWE-540

Status published

Products (2)

Bentley Systems/iTwin Platform < 2026-03-27

Bentley Systems/iTwin Platform 2026-03-27

Published Apr 02, 2026

Tracked Since Apr 03, 2026