Description
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
Published: 2026-04-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Exposed Cesium ion access token allowing unauthenticated enumeration or deletion of assets
Action: Apply Fix
AI Analysis

Impact

The vulnerability involves the iTwin Platform exposing a Cesium ion access token in the source of several web pages. An attacker without authentication can use the token to enumerate or delete certain assets, thereby compromising both the confidentiality and integrity of platform data. The weakness aligns with CWE‑540, which concerns the exposure of information via public channels.

Affected Systems

Bentley Systems iTwin Platform is affected. Specific version information is not provided in the advisory, so all instances of the product should be verified for the presence of the exposed token.

Risk and Exploitability

The CVSS score is 6.9, indicating a medium severity vulnerability. EPSS information is unavailable and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be unauthenticated access to web pages, where the token can be discovered in source code. Exploitation is likely straightforward given the public availability of the page content, making the risk moderate but significant for any organization still exposing the token.

Generated by OpenCVE AI on April 2, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that the Cesium ion access token is no longer embedded in any iTwin web pages
  • Update the iTwin Platform to the latest release that removes the exposed token
  • Review source code and configuration files for any remaining secrets or tokens
  • Monitor web pages and server logs for unauthorized access or token usage
  • Contact Bentley Systems if the token remains or further guidance is needed

Generated by OpenCVE AI on April 2, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bentley Systems
Bentley Systems itwin Platform
Vendors & Products Bentley Systems
Bentley Systems itwin Platform

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
Title Bentley Systems iTwin Platform exposed access token
Weaknesses CWE-540
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Bentley Systems Itwin Platform
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-04-02T19:04:09.008Z

Reserved: 2026-04-02T14:02:18.782Z

Link: CVE-2026-35383

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T20:16:29.260

Modified: 2026-04-02T20:16:29.260

Link: CVE-2026-35383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:16:27Z

Weaknesses