AI Match Log in Sign up

Free Tools List

QR Code Generator Password Generator Array to CSV Convertor BMI Calculator Color Picker Gradient Generator Image Compressor Api Tester EMI Calculator Resume Builder
More Tools
nisarga adhikary cbse vulnerability report

Nisarga Adhikary's CBSE Vulnerability Report: Unpacking the Digital Security Controversy

In an era where digital transformation is rapidly reshaping educational systems, the integrity and security of online platforms are paramount. The Central Board of Secondary Education (CBSE), India's prominent educational board, recently found itself at the center of a significant cybersecurity controversy. This emerged after a 19-year-old ethical hacker, Nisarga Adhikary, publicly disclosed a series of alleged critical vulnerabilities within the board's newly introduced On-Screen Marking (OSM) portal. This incident has ignited widespread discussions about the robustness of digital evaluation systems and the safety of sensitive student data.

The controversy gained significant traction around May 26-27, 2026, after tech entrepreneur Deedy Das amplified Adhikary's detailed blog post on X, bringing the claims to a broader public audience.

Who is Nisarga Adhikary?

Nisarga Adhikary is a 19-year-old cybersecurity researcher who, remarkably, discovered these vulnerabilities just before appearing for his own Class 12 board exams. Describing himself as a self-taught cybersecurity hobbyist, Adhikary’s meticulous findings and responsible disclosure efforts have positioned him at the forefront of this crucial debate.

The Core Allegations: Alarming Flaws in the OSM Portal

Adhikary's detailed blog post, titled “Exposing Critical Vulnerabilities in CBSE's On-Screen Marking Portal,” outlined several severe loopholes he allegedly found in the system used for digitally evaluating Class 12 board exam papers. The OSM portal was used for the first time this year (2026) to check all CBSE Class 12 papers.

Hardcoded Master Password: A "master password" was allegedly found directly embedded within publicly accessible frontend JavaScript files, capable of bypassing the portal's OTP and authentication flow entirely.

Client-Side OTP Validation: The portal reportedly trusted the user's browser too much, with parts of the authentication logic, including OTP verification, exposed and executed on the client-side rather than being securely verified on CBSE's servers.

Missing Route Protections: Several internal pages and routes within the Angular-based application, such as `/dashboard`, `/profile`, and `/evalscriptsview`, allegedly lacked proper protection, allowing unauthorized access by manipulating browser storage.

Password Reset Flaws: The password reset mechanism reportedly did not verify the old password before allowing a new one, meaning any ValuatorID's password could be reset without proper authorization.

Systemic IDOR Vulnerability: An Insecure Direct Object Reference (IDOR) vulnerability at the architectural level meant the app server trusted client-sent IDs instead of deriving them from authenticated sessions, potentially enabling impersonation of examiners.

The Potential Impact: A Threat to Examination Integrity

The alleged vulnerabilities, if exploited, could have severe repercussions, potentially allowing unauthorized access to examiner accounts, password resets, and even the viewing and modification of students' marks. This raised profound concerns about the sanctity of board exam results, which directly impact students' college admissions and future career opportunities.

Disclosure, Response, and Ongoing Scrutiny

The timeline of events highlights the critical importance of swift and effective cybersecurity responses:

1. Initial Discovery and Reporting (February 2026)
Nisarga Adhikary claims he discovered these flaws on February 25, 2026, and immediately reported them to the Indian Computer Emergency Response Team (CERT-In), India's cybersecurity response agency. He provided technical evidence, walkthroughs, and screen recordings, receiving an acknowledgment reference number.
2. Unpatched Vulnerabilities Claimed
Despite his detailed reporting, Adhikary alleged that "most of the vulnerabilities I reported went unpatched for a long time," remaining unresolved for months.
3. Public Disclosure (May 22, 2026)
Frustrated by the lack of resolution, Adhikary publicly disclosed his findings in a detailed blog post on May 22, 2026, which subsequently gained significant attention after being amplified on social media.
4. CBSE's Official Stance
In response to the viral claims, CBSE issued a clarification, denying any security breach in its live evaluation portal. The board stated that the URL cited by Adhikary (cbse.onmark.co.in) was merely a "testing site only with sample data for internal testing and review purposes," and not the actual portal used for evaluation. CBSE affirmed that its actual OSM portal deployed for live evaluation has robust safeguards to ensure integrity. Following the public outcry, the OSM portal reportedly became temporarily inaccessible.
5. Parliamentary Panel Involvement
The controversy has attracted the attention of a parliamentary panel on education, which has summoned officials from the Union Education Ministry and CBSE for a meeting on June 2 to review issues related to the OSM system.

Broader Implications and Student Concerns

This incident unfolds amidst existing criticism and concerns from students regarding the CBSE's digital evaluation system. Students have reported various issues, including mismatches between scanned answer sheets and awarded marks, blurred scans, portal crashes, and evaluation discrepancies. The alleged vulnerabilities further fueled these anxieties, raising questions about the board's digital preparedness and its impact on students' mental well-being and trust in the system.

While CBSE maintains that its live evaluation platform remained secure, the allegations highlight the critical need for stringent security measures and timely patching of vulnerabilities in any system handling sensitive educational data. The incident serves as a crucial reminder for all educational bodies to prioritize cybersecurity in their digital transformation journeys to safeguard student futures and maintain public trust.

Ready to Advance Your Career?

Take the first step towards your professional growth with our accredited Online MBA programs designed for working professionals.

Featured Program

Featured MBA Program

Popular MBA Specializations

Human Resource Management Marketing Management Finance & Analytics Operations & Supply Chain Online MBA
+91 93840 80088
Join Us on WhatsApp
Legal & Contact
Bachelor's Degree
Top Courses
Popular MBA Courses
© CollegeAll.com. All Rights Reserved.
Terms & Conditions Privacy Policy Blogs