{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "title": "Bentley Systems iTwin Platform exposed access token", "tracking": { "current_release_date": "2026-04-02T17:11:43Z", "generator": { "engine": { "name": "VINCE-NT", "version": "1.13.0+build.51" } }, "id": "VA-26-092-01", "initial_release_date": "2026-04-02T17:11:43Z", "status": "final", "version": "1.0.0", "revision_history": [ { "number": "1.0.0", "summary": "Initial publication", "date": "2026-04-02T17:11:43Z" } ] }, "distribution": { "tlp": { "label": "WHITE" } }, "notes": [ { "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer" }, { "text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other" }, { "text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other" }, { "text": "Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets.", "title": "Risk Evaluation", "category": "summary" }, { "text": "As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.", "title": "Recommended Practices", "category": "general" }, { "text": "United States", "title": "Company Headquarters Location", "category": "other" } ], "references": [ { "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json", "summary": "Vulnerability Advisory VA-26-092-01 CSAF", "category": "self" } ] }, "product_tree": { "branches": [ { "category": "vendor", "name": "Bentley Systems", "branches": [ { "category": "product_name", "name": "iTwin Platform", "branches": [ { "category": "product_version_range", "name": "<2026-03-27", "product": { "name": "Bentley Systems iTwin Platform <2026-03-27", "product_id": "CSAFPID-0001" } }, { "category": "product_version", "name": "2026-03-27", "product": { "name": "Bentley Systems iTwin Platform 2026-03-27", "product_id": "CSAFPID-0002" } } ] } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2026-35383", "cwe": { "id": "CWE-540", "name": "Inclusion of Sensitive Information in Source Code" }, "notes": [ { "category": "summary", "text": "Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:P/A:Y/T:P/2026-03-25T14:39:05Z/" } ], "title": "Bentley Systems iTwin Platform exposed access token", "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "CSAF", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json" }, { "category": "external", "summary": "CVE", "url": "https://www.cve.org/CVERecord?id=CVE-2026-35383" }, { "category": "external", "summary": "cesium.com", "url": "https://cesium.com/learn/ion/cesium-ion-access-tokens/" } ], "scores": [ { "cvss_v3": { "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "remediations": [ { "category": "mitigation", "details": "The exposed token has been removed and no longer enables access as of 2026-03-27.", "product_ids": [ "CSAFPID-0001" ], "date": "2026-03-27T00:00:00Z" }, { "category": "mitigation", "details": "The exposed token has been removed and no longer enables access as of 2026-03-27.", "product_ids": [ "CSAFPID-0002" ], "date": "2026-03-27T00:00:00Z" } ], "acknowledgments": [ { "names": [ "Mohamed Samy Dawood" ] } ], "release_date": "2026-04-02T00:00:00Z" } ] }