CVE-2026-35383 Bentley Systems CVE debrief

Who should care

Security teams and administrators responsible for Bentley Systems iTwin Platform should review and verify that their instances are not affected by this vulnerability. Although the token has been removed, it's essential to ensure that similar issues do not exist in the platform's code. Additionally, developers working with access tokens and sensitive data should be aware of the risks associated with exposing such tokens.

Technical summary

The vulnerability involves an exposed Cesium ion access token in the source code of some web pages in Bentley Systems iTwin Platform. This token could be used by an unauthenticated attacker to enumerate or delete certain assets. The token was removed as of 2026-03-27, and the vulnerability has been mitigated. The incident demonstrates the importance of secure coding practices, access token management, and regular code reviews.

Defensive priority

Medium priority should be given to reviewing and verifying that Bentley Systems iTwin Platform instances are not affected by this vulnerability. Although the token has been removed, it's essential to ensure that similar issues do not exist in the platform's code.

Recommended defensive actions

• Review and verify that Bentley Systems iTwin Platform instances are not affected by this vulnerability.
• Ensure that similar issues do not exist in the platform's code by performing regular code reviews.
• Develop and implement secure coding practices for access token management.
• Monitor the platform for any potential security issues related to access tokens.
• Update incident response plans to include procedures for handling exposed access tokens.

Evidence notes

The source item provided by CISA contains detailed information about the vulnerability, including a description of the issue, affected products, and mitigation details. The CVE record and NVD detail provide additional context and information about the vulnerability.

Official resources