Itwin Platform
Monthly
Bentley Systems iTwin Platform exposed a Cesium ion access token in web page source code, allowing unauthenticated attackers to enumerate or delete assets managed through Cesium ion services. The token was present in all versions prior to 2026-03-27 and has since been removed and revoked; no further enumeration or deletion is possible with the exposed token. This is a credential disclosure vulnerability affecting iTwin Platform users who relied on the compromised token for asset management.
Bentley Systems iTwin Platform exposed a Cesium ion access token in web page source code, allowing unauthenticated attackers to enumerate or delete assets managed through Cesium ion services. The token was present in all versions prior to 2026-03-27 and has since been removed and revoked; no further enumeration or deletion is possible with the exposed token. This is a credential disclosure vulnerability affecting iTwin Platform users who relied on the compromised token for asset management.