Skip to main content

Itwin Platform CVE-2026-35383

| EUVDEUVD-2026-18544 MEDIUM
Inclusion of Sensitive Information in Source Code (CWE-540)
2026-04-02 cisa-cg GHSA-3467-w26x-74wv
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026-03-27
EUVD ID Assigned
Apr 02, 2026 - 19:31 euvd
EUVD-2026-18544
Analysis Generated
Apr 02, 2026 - 19:31 vuln.today
CVE Published
Apr 02, 2026 - 19:04 nvd
MEDIUM 6.9

DescriptionCVE.org

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

AnalysisAI

Bentley Systems iTwin Platform exposed a Cesium ion access token in web page source code, allowing unauthenticated attackers to enumerate or delete assets managed through Cesium ion services. The token was present in all versions prior to 2026-03-27 and has since been removed and revoked; no further enumeration or deletion is possible with the exposed token. This is a credential disclosure vulnerability affecting iTwin Platform users who relied on the compromised token for asset management.

Technical ContextAI

Cesium ion access tokens are authentication credentials used to manage geospatial assets and services via the Cesium ion platform, commonly integrated into web applications for 3D visualization and mapping functionality. The vulnerability stems from CWE-540 (Inclusion of Sensitive Information in Source Code), a class of weakness where authentication credentials are hardcoded or embedded in client-accessible locations such as HTML source, JavaScript, or web pages. The iTwin Platform, a Bentley Systems offering for digital twin and infrastructure management, inadvertently exposed such a token in the HTML source of web pages, making it discoverable through simple page source inspection without authentication. Attackers could extract this token and use it to interact with Cesium ion APIs to enumerate (list) or delete assets associated with that token, bypassing intended authorization controls.

RemediationAI

No active remediation is required for the credential exposure itself, as Bentley Systems removed the exposed token from web pages and revoked it as of 2026-03-27, preventing further unauthorized use. Users should review Cesium ion asset access logs between the token's initial exposure and 2026-03-27 to identify any unauthorized enumeration or deletion activity. If suspicious activity is detected, administrators should rotate all Cesium ion access tokens and review asset management policies. Ensure that web applications do not embed authentication credentials in client-accessible source code; store API credentials server-side and use secure token exchange mechanisms instead. Refer to Cesium ion documentation at https://cesium.com/learn/ion/cesium-ion-access-tokens/ for secure token management practices.

Share

CVE-2026-35383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy