CBSE Marking system vulnerabilities exposed by ethical hacker

SOCIAL – EDUCATION

1 JUNE 2026

• After public posts by ethical hackers exposed vulnerabilities in the On-Screen Marking platform OnMark for Class 12 answer sheets, the Central Board of Secondary Education (CBSE) said the identified vulnerabilities “have been contained and other exploitable weaknesses are being ruled out”.
• The CBSE said it was “grateful” to alert citizens for pointing out “such weaknesses”.
• The Board’s statement comes after 19-year-old ethical hacker Nisarga Adhikary said he had hacked its digital evaluation ecosystem.
• “I sent my first report to the CBSE on February 25, and within three to four days, they took the portal down,” he said.
• On May 30, Mr. Adhikary managed to hack into the CBSE’s Principals dashboard in the On-Screen Marking platform. “The dashboard and the portal had had 9.3 million columns and rows of sensitive student data, including images of answer sheets of students which lay unprotected and could be easily tampered with,” Mr. Adhikary said.
• He has alleged that there are data sovereignty issues with how COEMPT Eduteck [the CBSE’s technology vendor] handled sensitive student exam data.
• He has alleged that an Amazon Web Services (AWS) bucket containing 2026 answer sheets and question papers could be accessed without authentication.
• “COEMPT should have ideally stored the data on their own servers, but they took the ‘cheap easy route’ of storing answer sheets in Amazon Web Services public buckets without any security checks,” Mr. Adhikary said.
• Sensitive data, including personal information of students, was processed by Google’s Gemini in automation scripts prepared by quality assurance engineers of COEMPT, he added.
• Mr. Adhikary called this “scary” and “sad”, where a third party sends such data to the U.S. for processing. “Data Privacy Laws are not respected and they [the company] should get sued for doing this without student consent,” he said.