CVE-2026-35383 MEDIUM

CVE-2026-35383: Bentley Systems iTwin Platform exposed access token

Vendor Bentley Systems
Product iTwin Platform
Weakness CWE-540
Published April 2, 2026
Last update April 14, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

01Description

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

Key dates

02Disclosure timeline

April 2, 2026 CVE published
April 14, 2026 Record updated