CVE-2026-35383

Bentley Systems iTwin Platform exposed access token

CVSS 6.9 MEDIUMEPSS 0.3%CWE-540

Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Produtos afetados

Bentley Systems · iTwin Platform

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://cesium.com/learn/ion/cesium-ion-access-tokens/https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json https://www.cve.org/CVERecord?id=CVE-2026-35383