Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35383 is a security vulnerability in the Bentley Systems iTwin Platform where a Cesium ion access token was exposed in the source code of some web pages.

This exposed token could be used by an unauthenticated attacker to enumerate or delete certain assets managed by the platform.

The vulnerability falls under CWE-540, which involves the inclusion of sensitive information in source code.

As of March 27, 2026, the token was removed from the web pages, mitigating the risk and preventing unauthorized access.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability allows an unauthenticated attacker to use the exposed Cesium ion access token to enumerate or delete certain assets on the Bentley Systems iTwin Platform.

This means unauthorized parties could potentially view metadata or remove assets, leading to loss of data availability and partial confidentiality impact.

The vulnerability is remotely exploitable without any privileges or user interaction, increasing the risk of attack.

However, the issue was fixed by removing the token from the web pages as of March 27, 2026, so updated versions no longer expose this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the exposure of a Cesium ion access token in the source code of some web pages. To detect it, you can inspect the source code of the affected web pages for the presence of such tokens.

A practical approach is to use command-line tools to search for the token pattern in the HTML source of the web pages served by the Bentley Systems iTwin Platform.

• Use curl or wget to fetch the web page source, then grep for keywords like 'accessToken' or token patterns.
• Example command: curl -s https://your-itwin-platform-url | grep -i 'accessToken'
• Alternatively, use browser developer tools to view the page source and search for the token.

Since the token was removed as of March 27, 2026, any presence of such tokens in your environment indicates a vulnerable or outdated version.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to ensure that the exposed Cesium ion access token is removed from the web pages, as was done in the fixed release dated March 27, 2026.

If you are running a vulnerable version of the Bentley Systems iTwin Platform, upgrade to the fixed version released on or after 2026-03-27 to eliminate the token exposure.

Additionally, follow best practices for token management such as:

• Regenerate or revoke any potentially compromised tokens to prevent unauthorized use.
• Configure tokens with minimal required scopes and apply URL restrictions to limit token misuse.
• Regularly rotate tokens and monitor token usage for suspicious activity.

Useful 0 Not Useful 0