CBSE OnMark Portal Hacked 2026 — this is the cybersecurity scandal that shook India’s education system on May 31, 2026, when a 19-year-old ethical hacker publicly proved that scanned answer sheets of over 2 million Class 12 students were freely accessible on the open internet. No password. No login. No hacking skills required. Just an open link that anyone in the world could access and download from.
The person who exposed this is Nisarga Adhikary ethical hacker CBSE, a teenage cybersecurity researcher who had already reported serious vulnerabilities in CBSE’s systems months earlier through official channels. When no meaningful action was taken, he went public — and the consequences have been enormous for India’s most powerful education board.
CBSE OnMark Portal Hacked 2026: How the Breach Was Discovered
On May 31, 2026, Adhikary posted on X, formerly Twitter, with a clear and alarming claim backed by screenshots. He wrote that CBSE had failed to properly configure their Amazon Web Services storage bucket, and as a result anyone on the internet could freely browse and download scanned answer booklets and question papers from the 2026 board examinations. He attached multiple screenshots showing actual student answer copies as direct evidence.
The vulnerability he exposed is a classic AWS S3 bucket misconfiguration. Amazon Web Services provides cloud storage through containers called S3 buckets. When configured correctly, only authorized users with proper credentials can access the files inside. Amazon even provides a one-click setting called Block Public Access specifically to prevent unauthorized access. In CBSE’s case, this setting was never applied. The bucket was left completely open to the public internet, meaning the academic records of millions of students were sitting exposed like an unlocked filing cabinet on a public street — available to anyone who knew the URL.
This Was Not the First Warning CBSE Received
What makes the CBSE OnMark Portal Hacked 2026 case significantly more serious is that Nisarga Adhikary had already raised the alarm about CBSE’s security failures months before the May 2026 incident. In February 2026, he discovered that CBSE’s On-Screen Marking portal had a critical authentication flaw that allowed him to log in as an examiner without proper verification. Once inside, he could access the evaluation dashboard and view — and potentially modify — student marks.
Adhikary responsibly reported his February findings directly to CERT-In, India’s national cybersecurity response agency, before making anything public. Despite this official report, the underlying security problems in CBSE’s digital evaluation ecosystem were never fully addressed. The May 2026 AWS exposure was the second time Adhikary was forced to go public because the official reporting process had failed to produce results. This pattern of ignored warnings followed by forced public disclosure is one of the most damaging aspects of the entire controversy.
What Is the CBSE OnMark Portal
The portal at the center of the CBSE OnMark Portal Hacked 2026 controversy, officially known as the On-Screen Marking or OSM portal, is the digital evaluation platform CBSE uses to conduct online marking of Class 12 board examination answer sheets. Under this system, physical answer booklets from examination centers across India are scanned and uploaded to cloud storage. Examiners then log in remotely and assign marks through a web interface without handling physical papers.
The portal is not built or managed by CBSE directly. It is operated by a Hyderabad-based private company called Coempt Edu Teck, which was awarded the OSM contract in December 2025 following a tender process that drew significant public criticism. Cybersecurity analyst Sidhant publicly alleged that CBSE modified technical eligibility criteria during the bidding process multiple times, relaxing key standards related to scanning quality, equipment certifications, and software requirements in ways that appeared to benefit Coempt Edu Teck specifically over competing vendors.
The AWS S3 Misconfiguration Explained
CBSE AWS answer sheet leak 2026
For readers without a technical background, this vulnerability is straightforward to understand. An AWS S3 bucket is an online folder hosted on Amazon’s cloud servers where organizations store files. Every organization using AWS has full control over who can access their bucket. The standard recommended configuration is to block all public access, meaning only verified and authorized users can view or download stored files.
In this case, that fundamental access control was never applied. The bucket was left public. Anyone who accessed the bucket URL could see a complete listing of every file stored inside and download any of them instantly without any authentication. Adhikary discovered the open bucket, browsed through its contents, and found thousands of scanned Class 12 answer booklets and question papers from the 2026 board examinations sitting completely unprotected.
This is not sophisticated hacking. This is a basic configuration error that any cloud engineer would catch in a standard security review. The fact that it existed on a system storing the academic records of 2 million students makes it an inexcusable institutional failure.
CBSE’s Official Response
Once Adhikary’s post went viral and prominent political figures began amplifying the story, CBSE responded within hours. The board posted an official statement through its verified X account @cbseindia29 confirming that vulnerabilities in the OnMark portal had been identified and that immediate corrective action was underway. CBSE stated that a team of cybersecurity professionals had been deployed from various government agencies and the Indian Institutes of Technology to secure the system and migrate it to a more robust infrastructure. The board confirmed that identified vulnerabilities had been contained and that comprehensive audits were ongoing to rule out any remaining weaknesses.
CBSE also publicly acknowledged the role of ethical hackers and alert citizens in exposing the vulnerabilities and stated it had directly contacted several individuals who reported issues, inviting others to share findings with its security team.
In an attempt to limit reputational damage, the board also claimed that the specific website Adhikary identified was only a testing environment containing sample data and that the live evaluation portal used for actual marking had not been compromised. Adhikary and multiple observers disputed this directly, pointing to what appeared to be genuine student answer sheets visible in his published screenshots.
Political Pressure Forces Government Response
The scale of the potential data exposure immediately made this a major political issue. Congress leader Jairam Ramesh amplified Adhikary’s post and publicly declared that the answer sheets of 2 million students had been placed in the public domain, directly challenging the government’s handling of student data security.
Education Minister Dharmendra Pradhan acknowledged that discrepancies had emerged during the first large-scale deployment of the OSM system and stated that the government was committed to addressing every genuine student grievance. He confirmed that technical experts from India’s leading institutions had been dispatched to support CBSE’s review process — a significant admission that the situation required external intervention.
Coempt Edu Teck CBSE penalty
Following sustained public pressure, CBSE confirmed it would impose financial penalties on Coempt Edu Teck under the terms of the tender agreement signed in August 2025. That contract includes clearly defined penalty clauses covering security breaches, data leaks, data corruption, and inadequate technical responses. CBSE declined to disclose the exact penalty amount but confirmed appropriate action would be taken in accordance with contractual provisions.
A critical limitation has emerged however. The contract contains no provisions for blacklisting Coempt Edu Teck entirely, regardless of the severity of the failure. This means that despite one of the most significant data security failures ever recorded in India’s education sector, CBSE’s ability to hold its vendor fully accountable is legally restricted by the very contract it signed. This contractual gap raises serious questions about how CBSE structures vendor agreements involving national-scale sensitive data.
Why This Is a Deeper Governance Problem
The CBSE OnMark portal hacked incident is not simply a story about one misconfigured cloud storage bucket. It exposes a systematic pattern of failures in how India’s public institutions manage digital infrastructure holding sensitive data of millions of citizens.
The most basic cloud security control was never applied to a system holding academic records of 2 million students. A researcher formally reported critical vulnerabilities in February 2026 through official channels and received no meaningful response. The vendor contract gives CBSE insufficient legal power to take decisive action even after a confirmed breach. The entire evaluation process for millions of students was handed to a third-party system that apparently never underwent independent security testing before going live at full national scale.
These are not technical oversights. They are institutional governance failures. Until India’s public institutions treat cybersecurity as a fundamental operational requirement rather than an afterthought, incidents of this scale will continue to occur.
What Students and Parents Need to Know
If your child appeared in the CBSE Class 12 board examinations in 2026, the official position is this: CBSE has stated that the actual evaluation portal used for live marking was entirely separate from the exposed environment and that student marks were not compromised. Students who have concerns about their results are strongly encouraged to apply for re-evaluation through CBSE’s official process, which opened in early June 2026 and is accessible through the official CBSE website at cbse.gov.in.
CBSE OnMark Portal Hacked 2026: Current Status as of June 3, 2026
CBSE has officially confirmed that all identified vulnerabilities in the OnMark portal have been contained. Cybersecurity teams from IITs and government agencies are continuing to audit and strengthen the system. Financial penalty proceedings against Coempt Edu Teck are formally underway. Nisarga Adhikary ethical hacker CBSE has received public acknowledgment from CBSE and has not faced any legal consequences. The CBSE OSM portal security failure of 2026 stands as one of the most significant cybersecurity incidents ever recorded in India’s education infrastructure.