CVE-2026-35383

CVSS v3.1

6.5

Medium

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-540

Related Identifiers

CVE-2026-35383

Affected Products

Itwin Platform

CVE-2026-35383

Weakness Enumeration

Related Identifiers

Affected Products

References · 4