Token Exposure Vulnerability in Bentley Systems iTwin Platform
CVE-2026-35383

6.9MEDIUM

Key Information:

Vendor: Bentley Systems
Status: Itwin Platform
Vendor: CVE Published:; 2 April 2026

🔔 Create Bentley Systems Vulnerability Alert

What is CVE-2026-35383?

The iTwin Platform from Bentley Systems inadvertently exposed a Cesium ion access token within the source code of specific web pages. This exposure permitted potential exploitation by unauthenticated attackers who could leverage this access token to enumerate or delete certain digital assets. However, as of March 27, 2026, the vulnerability was addressed, and the access token is no longer present in the web content, mitigating the risks of unauthorized asset manipulation.

Affected Version(s)

iTwin Platform 0 < 2026-03-27

iTwin Platform 2026-03-27

References

https://raw.githubusercontent.com/cisagov/CSAF/develop/cs...

https://www.cve.org/CVERecord?id=CVE-2026-35383

https://cesium.com/learn/ion/cesium-ion-access-tokens/

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Apr 2, 2026

Credit

Mohamed Samy Dawood

CVE-2026-35383 Data

JSON