CVE-2026-35383
CVE-2026-35383 is a medium-severity vulnerability with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-540.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 6.9
- EPSS exploit prediction: 0% (20th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-18544
- Weakness: CWE-540
- Published:
- Last modified:
Description
Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
Frequently asked questions
- What is CVE-2026-35383?
- Bentley Systems iTwin Platform exposed a Cesium ion access token in the source of some web pages. An unauthenticated attacker could use this token to enumerate or delete certain assets. As of 2026-03-27, the token is no longer present in the web pages and cannot be used to enumerate or delete assets.
- How severe is CVE-2026-35383?
- CVE-2026-35383 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability low.
- Is CVE-2026-35383 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-35383?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-35383 have an EU (EUVD) identifier?
- Yes. CVE-2026-35383 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-18544.
- When was CVE-2026-35383 published?
- CVE-2026-35383 was published on 2026-04-02 and last updated on 2026-06-17.
References
- https://cesium.com/learn/ion/cesium-ion-access-tokens/
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-092-01.json
- https://www.cve.org/CVERecord?id=CVE-2026-35383
Other CWE-540 vulnerabilities
- CVE-2025-26013 — High (CVSS 8.2): An issue in Loggrove v.1.0 allows a remote attacker to obtain sensitive information via the read.py component.
- CVE-2023-39250 — High (CVSS 7.8): Dell Storage Integration Tools for VMware (DSITV) and Dell Storage vSphere Client Plugin (DSVCP) versions prior to…
- CVE-2026-4155 — High (CVSS 7.5): ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This…
- CVE-2025-49182 — High (CVSS 7.5): Files in the source code contain login credentials for the admin user and the property configuration password, allowing…
- CVE-2024-1272 — High (CVSS 7.5): Inclusion of Sensitive Information in Source Code vulnerability in TNB Mobile Solutions Cockpit Software allows…
- CVE-2024-38327 — Medium (CVSS 6.8): IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an…