CBSE says OnMark vulnerabilities contained after teen hacker flags access to answer sheets, question papers

The Central Board of Secondary Education (CBSE) has said it has contained vulnerabilities detected in the OnMark portal of its service provider after allegations surfaced online that scanned answer sheets and question papers were publicly accessible through a misconfigured cloud storage system.

The issue gained attention after a 19-year old ethical hacker Nisarga Adhikary claimed on social media that an Amazon Web Services (AWS) storage bucket linked to the system could be accessed without authentication. As per Adhikary, users were allegedly able to browse and download scanned answer booklets and question papers from 2026 examinations.

In a post on X, Adhikary wrote that the cloud storage configuration allowed public listing of files. He alleged that multiple institutions were using the same bucket , potentially exposing a large volume of academic records.

Also read 'Son Im Crine': A teen and techies Vs the CBSE; or how the battle over the OSM portal unfolded online

CBSE in its post on X said it had been monitoring the reported vulnerabilities and had launched an extensive security review.

CBSE deploys cybersecurity experts

In its statement, the board said cybersecurity specialists from government agencies and the Indian Institutes of Technology (IITs) had been engaged to strengthen the affected systems.

CBSE said it had been monitoring the vulnerabilities reported in the OnMark portal and had initiated corrective measures. In a post on X, the board said an "expert team of cybersecurity professionals" from government agencies and IITs had been deployed to strengthen the system and move it to a more secure setup.

The board added that the identified weaknesses had been contained and that additional reviews were underway to determine whether any other exploitable issues remained.

Also read ‘People called us anti-national’: CBSE student says board sends correct answer sheet after social media outcry

CBSE also thanked ethical hackers and citizens who brought the matter to its notice. The board said it had directly contacted some of the individuals who flagged the vulnerabilities and invited others to share inputs with its security team.

CBSE OnMark Portal: Data exposure allegations

The controversy also drew political attention. Congress leader Jairam Ramesh shared Adhikary's claims and questioned the security of student records.

"In today's developments on Mantri Pradhan's Ministry of Scandals, the answer sheets of 2 million CBSE Grade 12 students have been shown to be available in the public domain. This is a data breach of monumental proportions and it compromises the privacy of 2 million students," Ramesh wrote on X.

He further raised questions about the quality of the scanned answer sheets that surfaced online and sought clarification on the scanning systems used by the service provider.

Also read ‘More exhausting than manual’: How CBSE on-screen marking system is draining teachers it was meant to help

The development comes months after Adhikary had earlier highlighted alleged security flaws in CBSE's digital evaluation ecosystem.

While the board maintains that the reported vulnerabilities have now been addressed, the incident has once again brought attention to cybersecurity practices surrounding large-scale examination and evaluation platforms used by educational institutions.