CVE-2026-35383: CWE-540 Inclusion of Sensitive Information in Source Code in Bentley Systems iTwin Platform
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
AI Analysis
Technical Summary
Bentley Systems iTwin Platform inadvertently exposed a Cesium ion access token within the source code of certain web pages. This token could be used by unauthenticated attackers to enumerate or delete assets associated with the platform. The vulnerability is categorized under CWE-540, indicating sensitive information disclosure in source code. The issue was addressed by removing the token from the web pages as of 2026-03-27, effectively mitigating the risk. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality and availability impact.
Potential Impact
An unauthenticated attacker could leverage the exposed Cesium ion access token to enumerate or delete certain assets on the iTwin Platform, potentially leading to limited confidentiality and availability impact. Since the token was publicly accessible in the source code, this could allow unauthorized asset manipulation. However, the token has been removed, and no known exploits have been reported in the wild.
Mitigation Recommendations
The vulnerability has been mitigated by removing the exposed Cesium ion access token from the web pages as of 2026-03-27. Users should ensure they are using the updated version of the platform or verify that the token is no longer present in their deployment. No further action is required if the token is confirmed removed.
CVE-2026-35383: CWE-540 Inclusion of Sensitive Information in Source Code in Bentley Systems iTwin Platform
Description
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Bentley Systems iTwin Platform inadvertently exposed a Cesium ion access token within the source code of certain web pages. This token could be used by unauthenticated attackers to enumerate or delete assets associated with the platform. The vulnerability is categorized under CWE-540, indicating sensitive information disclosure in source code. The issue was addressed by removing the token from the web pages as of 2026-03-27, effectively mitigating the risk. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector, low complexity, no privileges or user interaction required, and limited confidentiality and availability impact.
Potential Impact
An unauthenticated attacker could leverage the exposed Cesium ion access token to enumerate or delete certain assets on the iTwin Platform, potentially leading to limited confidentiality and availability impact. Since the token was publicly accessible in the source code, this could allow unauthorized asset manipulation. However, the token has been removed, and no known exploits have been reported in the wild.
Mitigation Recommendations
The vulnerability has been mitigated by removing the exposed Cesium ion access token from the web pages as of 2026-03-27. Users should ensure they are using the updated version of the platform or verify that the token is no longer present in their deployment. No further action is required if the token is confirmed removed.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisa-cg
- Date Reserved
- 2026-04-02T14:02:18.782Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cec5aae6bfc5ba1dfbd832
Added to database: 4/2/2026, 7:38:18 PM
Last enriched: 4/17/2026, 11:46:41 AM
Last updated: 5/20/2026, 3:58:26 PM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.