CVE-2026-35383

Description

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Affected products

Bentley Systems / iTwin Platform0 – 2026-03-27
Bentley Systems / iTwin Platform2026-03-27 – 2026-03-27

References

MISChttps://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json
CONFIRMhttps://www.cve.org/CVERecord?id=CVE-2026-35383
MISChttps://cesium.com/learn/ion/cesium-ion-access-tokens/