Days after alleging security flaws in CBSE’s digital evaluation system, 19-year-old ethical hacker Nisarga Adhikary has claimed that scanned answer sheets and question papers linked to the board were publicly accessible.In a post on X, Adhikary alleged that an AWS bucket containing 2026 answer sheets and question papers could be accessed without authentication. “CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned booklet — across institutions. Multiple institutions are using the same bucket, insanely insecure,” he wrote.According to Adhikary, the issue stemmed from a cloud storage configuration that allowed users to browse and download files without logging in or providing credentials. He also claimed that multiple institutions were using the same storage bucket, increasing the scale of the alleged exposure.Screenshots shared by Adhikary appeared to show scanned answer booklets arranged in a file directory.Congress leader Jairam Ramesh shared Adhikary’s post on X writing, “In today’s developments on Mantri Pradhan’s Ministry of Scandals, the answer sheets of 2 million CBSE Grade 12 students have been shown to be available in the public domain. This is a data breach of monumental proportions and it compromises the privacy of 2 million students,” Ramesh wrote.The allegations come shortly after Adhikary claimed to have found several vulnerabilities in CBSE’s On-Screen Marking (OSM) portal. In a blog post titled “Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal”, he said he discovered the issues on February 25 and reported them to CERT-In before making them public.“I was able to log in as an examiner and reach the evaluation dashboard, where I could view and edit marks,” Adhikary wrote in the blog. He also alleged that OTP verification could be bypassed and that several reported issues remained unpatched for an extended period.As the claims gained traction, users reported that the OSM portal had become temporarily inaccessible. CBSE later responded to the allegations, stating that the URL cited in social media posts was not the portal used for actual evaluation work.“At the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,” CBSE said in a statement posted on X.The board further stated that the website identified by Adhikary was only a testing platform containing sample data. “There are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work,” the statement added.
