Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
AnalysisAI
Bentley Systems iTwin Platform exposed a Cesium ion access token in web page source code, allowing unauthenticated attackers to enumerate or delete assets managed through Cesium ion services. The token was present in all versions prior to 2026-03-27 and has since been removed and revoked; no further enumeration or deletion is possible with the exposed token. This is a credential disclosure vulnerability affecting iTwin Platform users who relied on the compromised token for asset management.
Technical ContextAI
Cesium ion access tokens are authentication credentials used to manage geospatial assets and services via the Cesium ion platform, commonly integrated into web applications for 3D visualization and mapping functionality. The vulnerability stems from CWE-540 (Inclusion of Sensitive Information in Source Code), a class of weakness where authentication credentials are hardcoded or embedded in client-accessible locations such as HTML source, JavaScript, or web pages. The iTwin Platform, a Bentley Systems offering for digital twin and infrastructure management, inadvertently exposed such a token in the HTML source of web pages, making it discoverable through simple page source inspection without authentication. Attackers could extract this token and use it to interact with Cesium ion APIs to enumerate (list) or delete assets associated with that token, bypassing intended authorization controls.
RemediationAI
No active remediation is required for the credential exposure itself, as Bentley Systems removed the exposed token from web pages and revoked it as of 2026-03-27, preventing further unauthorized use. Users should review Cesium ion asset access logs between the token's initial exposure and 2026-03-27 to identify any unauthorized enumeration or deletion activity. If suspicious activity is detected, administrators should rotate all Cesium ion access tokens and review asset management policies. Ensure that web applications do not embed authentication credentials in client-accessible source code; store API credentials server-side and use secure token exchange mechanisms instead. Refer to Cesium ion documentation at https://cesium.com/learn/ion/cesium-ion-access-tokens/ for secure token management practices.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18544
GHSA-3467-w26x-74wv