CVE-2026-35383

MEDIUM 6.5

Bentley Systems iTwin Platform exposed access token

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

14th

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

CWE	CWE-540
Vendor	bentley systems
Product	itwin platform
Published	Apr 2, 2026
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for bentley systems itwin platform

Be the first to know when new medium vulnerabilities affecting bentley systems itwin platform are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Affected Versions

Bentley Systems / iTwin Platform

0 < 2026-03-27

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json cve.org: https://www.cve.org/CVERecord?id=CVE-2026-35383 cesium.com: https://cesium.com/learn/ion/cesium-ion-access-tokens/

Credits

Mohamed Samy Dawood (Specter), Independent Security Researcher