Password in public? CBSE OSM portal under lens after 19-year-old hacker claims to bypass security measures

A 19-year-old student and ethical hacker Nisarga Adhikary has publicly disclosed vulnerabilities in the Central Board of Secondary Education’s On-Screen Marking (OSM) portal, the system used for evaluating board exam papers. For the first time, this year, all CBSE Class 12 papers were checked on that portal.

The controversy gained traction after Adhikary posted a thread on X and later published a detailed blog post claiming he was able to bypass parts of the CBSE OSM portal ’s login and access-control systems. He said the issues had first been reported privately to CERT-In, India’s cybersecurity response agency, months earlier. “I had hacked CBSE's OSM (On-Screen Marking Portal) in February and had reported the vulnerabilities to CERT-In, but they were unable to patch most of them,” he wrote in a post on X.

The disclosures quickly spread across social media, with cybersecurity professionals, students and educators questioning how a national-level examination system – the CBSE could allegedly contain such basic security weaknesses.

CBSE on 26th May 2026 issued a clarification after viral social media posts and news reports claimed its On-Screen Marking (OSM) portal had been compromised by a 19-year-old ethical hacker.

In a statement posted on X, the board said the URL cited in the disclosures — cbse.onmarks.co.in — was only a “testing site” containing sample data for internal review purposes and not the actual portal used for evaluation of answer sheets.

“There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work,” CBSE said.

The board also said the OSM system was introduced to improve transparency in assessments and claimed strong safeguards and grievance-redressal mechanisms were built into the platform used for live evaluation.

The clarification came after 19-year-old ethical hacker Nisarga Adhikary publicly alleged that CBSE’s OSM portals contained serious security vulnerabilities, including exposed login-related code and weak authorisation checks.

Responding to CBSE’s statement, Adhikary disputed the board’s claim that only test systems were affected.

“If this was test data – how I was able to log in with prod user data completely?” he wrote on X, claiming he possessed screen recordings and proof of CERT-In acknowledgements.

He further alleged that multiple mirror domains under the “onmark” network — including cbse1.onmark.co.in, cbse2.onmark.co.in, cbse3.onmark.co.in and cbse4.onmark.co.in — showed similar vulnerabilities.

“Then how I was able to access production data on that site? All of the mirrors you had under the onmark domain had the same vulnerabilities,” he wrote.

“It’s sad that you can’t even investigate security reports properly,” he added, saying he was attaching screenshots as proof.

Also read CBSE makes third language compulsory for Class 9 from July, with Class 6 books and shared teachers

The CBSE OSM controversy

The OSM portal controversy did not emerge in isolation. In the weeks leading up to the Nisarga Adhikary CBSE vulnerability report becoming public, several CBSE Class 12 students had taken to social media alleging mismatches between their scanned answer sheets and the marks awarded under the board’s On-Screen Marking system .

Students claimed some answers visible in scanned copies appeared unchecked or incorrectly totalled, while others questioned sudden variations in marks after re-evaluation requests. The complaints triggered wider concerns over transparency in CBSE’s increasingly digitised evaluation process.

For many students and parents, the issue was not just about technical glitches but about trust in a system that directly affects college admissions, scholarships and future opportunities.

It was during this growing scrutiny around the OSM system that Nisarga published his findings online. His disclosures quickly transformed an already simmering transparency debate into a national conversation about cybersecurity, vendor accountability and the safety of student examination data.

‘Nisarga Adhikary CBSE vulnerabilities report’

According to researchers and cybersecurity experts discussing the issue online, the core problem was that the portal allegedly trusted the user’s browser too much instead of securely verifying everything on CBSE’s own servers.

Experts say secure websites normally keep important checks hidden inside protected backend systems. In the CBSE portal, however, parts of that logic were reportedly exposed in code that loaded directly on a user’s browser.

In his blog post, Nisarga Adhikary alleged that the CBSE OSM portal contained a hardcoded “master password” directly inside publicly accessible frontend JavaScript files. Not a hash, not a token reference, but the literal password string,” he wrote, claiming the password could bypass the portal’s OTP and authentication flow entirely.

Also read Education Ministry Plans: PM SHRI in West Bengal, Kerala, TN; NIPUN Bharat till Class 5; mental health policy

Researchers further claimed that after entering the system, changing examiner ID numbers in browser requests could allegedly provide access to other accounts and evaluation records.

CBSE OSM System: Hotel key card, master password

Product engineer Mayuri Prakash from Bengaluru, explaining Adhikary’s blog post, said the vulnerabilities described in the CBSE OSM portal point to basic failures in how authentication and validation were designed.

“In any secure website, validation and authentication logic is supposed to stay hidden in the backend server. Users should never directly see sensitive verification data. But here, much of that information was reportedly exposed in the client side JavaScript — essentially the code visible in the browser itself through inspect tools,” she said.

She compared it to a hotel keeping its master key card openly at the front desk where anyone could pick it up.

“A master key card is supposed to be accessible only to authorised staff. Imagine leaving it in public view for everyone entering the hotel lobby. That is similar to what researchers are alleging happened here. Sensitive information, including login-related details, was effectively visible in the frontend instead of being securely handled in the backend,” she explained.

Prakash also explained the alleged IDOR, or Insecure Direct Object Reference, vulnerability Adhikary notes in his blog post in simpler terms. “In secure systems, even if someone changes account IDs or requests details in the browser, the server should recheck whether that user is actually authorised to access the account,” she said. “In this case, researchers allege that the portal was not properly rechecking authorisation. If someone changed IDs inside browser requests, the system could allegedly return another user’s account information without demanding proper verification again.”

Also read CBSE third language policy throws French, Spanish, German teachers across schools into crisis

She said the issue becomes especially dangerous when combined with weak password recovery or login validation systems.

“If the application trusts browser-side data too much and does not properly validate requests on the server, attackers can potentially access details they should never be able to see. That is why backend verification exists in the first place,” she added.

A Chennai based expert said, “To understand the CBSE portal breach, think of internet security like a bank vault. Normally, when you enter a password, the verification happens securely inside the backend server. But in this case, researchers allege that critical login logic was exposed directly in the frontend code visible in the browser itself.

The researcher reportedly found a ‘master password’ openly visible in the website code. The system also allegedly trusted the user’s browser to confirm whether a login was successful instead of securely verifying it on the server side. By intercepting browser traffic, someone could reportedly change the response from ‘failed’ to ‘successful’ and bypass OTP verification.

Once inside, the portal allegedly lacked proper authorization checks. Researchers claim users could change teacher ID details in browser requests and access other examiner accounts, answer sheets and student records. It was a fundamental failure of backend security validation,” said a Chennai-based cybersecurity expert familiar with the disclosures.

Dharmendra Pradhan, CBSE, IIT audit

The digital correction portal, cbse.onmark.co.in, is not the board’s only problem. There have been widespread complaints about the functioning of the portal for re-evaluation .

It led to the education minister, Dharmendra Pradhan, stepping in and directing Indian Institute of Technology Madras and IIT Kanpur to help bolster the CBSE’s tech systems.

The CBSE has throughout defended the on-screen marking system . Its officials were asked about Adhikary’s findings but till the time of publication, there was no response. If and when they respond, this story will be updated with their comments.

Update: This story has been updated to include the statement from CBSE on the report.