Class 12 Student Exposes CBSE Portals Security: When CBSE launched its new On-Screen Marking (OSM) system this year, most students and parents assumed it was a step forward – a modern, digital way to evaluate answer sheets. Nisarga Adhikary, a Class 12 student and self-taught cybersecurity researcher from West Bengal, decided to take a closer look. What he found was alarming.
In less than an hour of browsing the portal’s publicly accessible code, Adhikary says he discovered multiple serious security vulnerabilities – flaws that could allow anyone with basic technical knowledge to log in as an examiner, bypass the OTP verification system, reset passwords without any identity check, and potentially alter students’ marks.
“It was one of the easiest hacks of my life,” Adhikary said. “You don’t even need to know programming. Anyone can impersonate any examiner. The access control is totally broken.”
What Exactly Did He Find?
The most damaging flaw, according to Adhikary, was a “master password” hidden directly inside the portal’s publicly visible JavaScript code – the kind of code that any browser can read. This meant that anyone who found that password could log into the system as any examiner, without needing an OTP or any other verification.
The OTP system itself had a fatal design flaw. Instead of the server verifying the one-time password, the verification was being done inside the user’s own browser. That means anyone who knows how to inspect a webpage could simply read the OTP from the browser and bypass the security check entirely.
Password reset was equally broken. Normally, resetting a password requires entering the old one first. On this portal, Adhikary says, a user could just enter any random old password and set a new one — the server never actually checked.
Follow TJP Whatsapp ChannelOn top of all this, he claims that examiner identities could be manually changed by editing a few values in the browser’s storage, allowing someone to impersonate a teacher and access their evaluation records.
“None of this required sophisticated exploitation,” Adhikary wrote in a detailed blog post. “The hardest part was reading a JavaScript file and editing a couple of values in DevTools.”
He Reported It. Nobody Responded
What makes this story more troubling is the timeline. Adhikary says he discovered these vulnerabilities on 25 February 2026 – months before the CBSE Class 12 results were announced. He immediately reported the issue to CERT-In, the Indian government’s official cybersecurity response agency, via email.
CERT-In acknowledged his complaint with a standard reply, assigned it a reference number, and went quiet. Despite multiple follow-ups over the next three months, Adhikary received no meaningful response and no confirmation that the flaws had been fixed.
“It is very disrespectful, to be honest. There are companies who charge lakhs of rupees for this kind of security audit, and I am doing it for free just to help them – and they are not responding. That is arrogance and negligence,” he said.
On 22 May 2026, having waited long enough, Adhikary published a full technical write-up on his personal blog, complete with screen recordings and step-by-step demonstrations of the vulnerabilities. The post went viral almost immediately.
The Bigger Picture: Students Already Complaining
Adhikary’s revelations did not come out of nowhere. For weeks before his blog went public, CBSE Class 12 students had been raising complaints on social media about irregularities in the OSM system. Students reported receiving answer sheets with someone else’s handwriting, missing pages, unchecked answers, and sudden unexplained drops in marks.
For many students and parents, the issue was not just about technical glitches but about trust in a system that directly affects college admissions, scholarships and future opportunities.
Union Education Minister Dharmendra Pradhan took note of the growing uproar and directed CBSE officials to urgently address the portal’s problems, with help from IIT experts and public sector banks. “Student interests remain paramount, and all corrective measures must be undertaken by CBSE on priority,” he said.
CBSE Says the Portal Was Not Hacked
After Adhikary’s blog went viral and the CBSE platforms went down, the board issued a clarification on X (formerly Twitter), denying that its OSM portal was compromised.
CBSE said that the URL Adhikary had investigated – cbse.onmark.co.in – was only a testing site with sample data used for internal review, and had nothing to do with the actual evaluation portal where real student data and marks were stored.
“There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work,” CBSE wrote.
Adhikary, however, pushed back. He pointed out that the URL mentioned in CBSE’s post was not even a valid domain and was, in fact, redirecting users to his own blog. He also claimed that he had visual proof showing access to what he described as non-test production data through the portal.
The Internet Freedom Foundation (IFF), a digital rights organisation, has since written to the Ministry of Education and CERT-In, urging them to take the disclosure seriously and respond transparently.
Who Is Nisarga Adhikary?
Nisarga Adhikary is a 19-year-old from West Bengal who recently completed his Class 12 exams. He describes himself as a hobbyist cybersecurity researcher who has worked on bug bounty programmes – projects where companies reward researchers for finding and reporting security flaws – for several years. He studied in Delhi for a part of his schooling and has built cybersecurity tools as a self-taught developer.
His interest in the CBSE portal was born out of simple curiosity. He says he had no intention of misusing what he found and chose to report it through the proper official channels first, only going public after months of silence.
Why This Matters
India’s board examinations are among the most high-stakes events in a young person’s life. Marks scored in Class 10 and Class 12 directly influence college admissions, government job eligibility, and scholarship opportunities for millions of students across the country. CBSE oversees more than 33,000 schools in India and abroad.
When a teenager sitting at home can, in under an hour, find ways to potentially access examiner accounts and alter student marks on the very system used to evaluate those exams – and then wait three months for someone in authority to respond – it raises serious questions about how India protects its most critical public digital infrastructure.
As of now, CBSE has not confirmed whether the six high-severity vulnerabilities flagged by Adhikary have been fully fixed. The students who may have been affected by errors in the OSM system are still waiting for answers.
