{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35383", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-04-02T14:02:18.782Z", "datePublished": "2026-04-02T19:04:09.008Z", "dateUpdated": "2026-04-02T19:04:09.008Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets."}], "affected": [{"vendor": "Bentley Systems", "product": "iTwin Platform", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "2026-03-27", "versionType": "custom"}, {"version": "2026-03-27", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-540 Inclusion of Sensitive Information in Source Code", "lang": "en", "type": "CWE", "cweId": "CWE-540"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:39:05.356015Z", "id": "CVE-2026-35383", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "Bentley Systems iTwin Platform exposed access token", "references": [{"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-35383"}, {"name": "url", "url": "https://cesium.com/learn/ion/cesium-ion-access-tokens/"}], "credits": [{"value": "Mohamed Samy Dawood", "lang": "en"}], "datePublic": "2026-04-02T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-04-02T19:04:09.008Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets."}], "id": "CVE-2026-35383", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-04-02T20:16:29.260", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://cesium.com/learn/ion/cesium-ion-access-tokens/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.cve.org/CVERecord?id=CVE-2026-35383"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-540"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026-03-27)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "2026-03-27"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iTwin Platform", "source": "cna", "vendor": "Bentley Systems"}, "product": "itwin_platform", "vendor": "bentley_systems"}], "analysis": {"en": {"generated_at": "2026-04-02T22:49:41.305104+00:00", "value": {"mitigation_remediation": ["Verify that the Cesium ion access token is no longer embedded in any iTwin web pages", "Update the iTwin Platform to the latest release that removes the exposed token", "Review source code and configuration files for any remaining secrets or tokens", "Monitor web pages and server logs for unauthorized access or token usage", "Contact Bentley Systems if the token remains or further guidance is needed"], "summary": {"action": "Apply Fix", "impact": "Exposed Cesium ion access token allowing unauthenticated enumeration or deletion of assets"}, "threat_synthesis": {"affected_systems": "Bentley Systems iTwin Platform is affected. Specific version information is not provided in the advisory, so all instances of the product should be verified for the presence of the exposed token.", "description_and_impact": "The vulnerability involves the iTwin Platform exposing a Cesium ion access token in the source of several web pages. An attacker without authentication can use the token to enumerate or delete certain assets, thereby compromising both the confidentiality and integrity of platform data. The weakness aligns with CWE\u2011540, which concerns the exposure of information via public channels.", "risk_and_exploitability": "The CVSS score is 6.9, indicating a medium severity vulnerability. EPSS information is unavailable and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be unauthenticated access to web pages, where the token can be discovered in source code. Exploitation is likely straightforward given the public availability of the page content, making the risk moderate but significant for any organization still exposing the token."}}}}, "created": "2026-04-03T07:31:31.239773+00:00", "updated": "2026-04-03T09:16:27.246799+00:00", "vendors": ["bentley_systems", "bentley_systems$PRODUCT$itwin_platform"]}