CVE-2026-35383

Summary

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

Affected Software

VendorProductVersion RangeStatus
Bentley SystemsiTwin Platform0 < 2026-03-27affected
Bentley SystemsiTwin Platform2026-03-27unaffected

Weaknesses

  • CWE-540: CWE-540 Inclusion of Sensitive Information in Source Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References