CVE-2026-35383
Exposed Access Token in Bentley iTwin Enables Asset Deletion
Publication date: 2026-04-02
Last updated on: 2026-04-02
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bentley_systems | itwin_platform | * |
| bentley_systems | itwin_platform | 2026-03-27 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-540 | Source code on a web server or repository often contains sensitive information and should generally not be accessible to users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-35383 is a security vulnerability in the Bentley Systems iTwin Platform where a Cesium ion access token was exposed in the source code of some web pages.
This exposed token could be used by an unauthenticated attacker to enumerate or delete certain assets managed by the platform.
The vulnerability falls under CWE-540, which involves the inclusion of sensitive information in source code.
As of March 27, 2026, the token was removed from the web pages, mitigating the risk and preventing unauthorized access.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an unauthenticated attacker to use the exposed Cesium ion access token to enumerate or delete certain assets on the Bentley Systems iTwin Platform.
This means unauthorized parties could potentially view metadata or remove assets, leading to loss of data availability and partial confidentiality impact.
The vulnerability is remotely exploitable without any privileges or user interaction, increasing the risk of attack.
However, the issue was fixed by removing the token from the web pages as of March 27, 2026, so updated versions no longer expose this risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the exposure of a Cesium ion access token in the source code of some web pages. To detect it, you can inspect the source code of the affected web pages for the presence of such tokens.
A practical approach is to use command-line tools to search for the token pattern in the HTML source of the web pages served by the Bentley Systems iTwin Platform.
- Use curl or wget to fetch the web page source, then grep for keywords like 'accessToken' or token patterns.
- Example command: curl -s https://your-itwin-platform-url | grep -i 'accessToken'
- Alternatively, use browser developer tools to view the page source and search for the token.
Since the token was removed as of March 27, 2026, any presence of such tokens in your environment indicates a vulnerable or outdated version.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to ensure that the exposed Cesium ion access token is removed from the web pages, as was done in the fixed release dated March 27, 2026.
If you are running a vulnerable version of the Bentley Systems iTwin Platform, upgrade to the fixed version released on or after 2026-03-27 to eliminate the token exposure.
Additionally, follow best practices for token management such as:
- Regenerate or revoke any potentially compromised tokens to prevent unauthorized use.
- Configure tokens with minimal required scopes and apply URL restrictions to limit token misuse.
- Regularly rotate tokens and monitor token usage for suspicious activity.