Home

Description

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-02 | Updated 2026-04-14 | Assigner cisa-cg




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-540 Inclusion of Sensitive Information in Source Code

Product status

Default status
unknown

Any version before 2026-03-27
affected

2026-03-27
unaffected

Credits

Mohamed Samy Dawood (Specter), Independent Security Researcher

References

raw.githubusercontent.com/...IT/white/2026/va-26-092-01.json (url)

www.cve.org/CVERecord?id=CVE-2026-35383 (url)

cesium.com/learn/ion/cesium-ion-access-tokens/ (url)

cve.org (CVE-2026-35383)

nvd.nist.gov (CVE-2026-35383)

Download JSON