A 19-year-old found 9 security holes in the system that graded 17.8 lakh students. No one fixed them for 3 months. The latest: 457K+ payment records leaked through an unauthenticated API. Here's what it means for you โ in plain English.
Think of the CBSE marking system like a school's answer sheet storage room. ni5arga, a 19-year-old security researcher, discovered that:
He reported all of this to India's cybersecurity agency (CERT-In) on February 25, 2026. Three months later, after no meaningful fix, he went public.
---ni5arga documented his first 5 findings in a detailed blog post published May 22, 2026. Here's a simple summary:
| # | What happened | In plain English |
|---|---|---|
| 1 | Hardcoded master password in website code | The system's master password was literally written in the website's source code โ like taping your ATM PIN to the ATM machine |
| 2 | OTP sent back to the browser, not verified by server | The login OTP was checked by your own browser, not the server. It's like a bouncer who asks "are you on the list?" and trusts whatever you say |
| 3 | No route guards โ entire app accessible without login | Every single page could be visited without logging in. The login screen was decorative |
| 4 | Change password without knowing old one | Anyone could reset any evaluator's password without knowing or entering the current password |
| 5 | Systemic IDOR โ ID manipulation across all APIs | By changing a number in the web address, you could see any student's marks โ like guessing someone's locker combination by trying 1, 2, 3 |
Full technical details โ ni5arga.com/blog/posts/hacking-cbse
After publishing the blog, ni5arga kept finding more holes. These are the ones that hadn't been blogged as of May 31, 2026 โ and they're arguably worse.
ni5arga (along with @thetirthparmar) demonstrated that they had complete control of CBSE's actual, live production server โ the one that was actively being used to grade Class 12 answer sheets.
Imagine someone not just finding the back door to the school, but getting the master keys to every classroom, the principal's office, the records room, and the intercom system โ and then playing music over the PA to prove it.
Original disclosure tweet ยท Archive ยท Archive 2 ยท Archive 3
A separate OnMark subdomain โ used by multiple universities for exam evaluation โ was compromised, granting super admin access.
If Finding 6 was breaking into one school, this is breaking into the central office that manages grading for dozens of schools โ and getting the principal's login.
Why this is bigger than CBSE: This proves the vulnerability isn't limited to CBSE. It's baked into the OnMark platform itself โ used by multiple institutions across India. Tweet 1 ยท Tweet 2 ยท Tweet 3
CBSE's cloud storage (AWS S3 bucket) was left completely open โ no password, no login, nothing. Anyone on the internet could browse, search, and download scanned answer sheets and question papers.
Imagine the school put every student's answer sheet in a cardboard box, left it on the sidewalk with a sign that says "free to take," and didn't even write a name on it. Anyone walking by โ not just students of that school โ could flip through and take whatever they wanted.
"CBSE people didn't configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too โ anyone on the internet can download any scanned booklet โ across institutions." โ @ni5arga, May 31, 2026
An unauthenticated API endpoint on a CBSE-related payment portal was returning 457,874+ records of payment transaction data โ including email addresses, phone numbers, payment IDs, order IDs, payment method, and status โ to anyone who sent a request. No authentication required.
Imagine the school's fee collection office left a printout of every parent's payment receipt โ with their name, email, phone number, and what they paid for โ taped to the front window. Anyone walking past could photograph it. Now imagine that list has nearly half a million entries.
The data was extracted by calling an API endpoint that returned JSON, then displayed in the browser console via console.table(rows). The researcher did not need to bypass any login, use any exploit, or authenticate in any way โ the endpoint simply served the data to anyone who asked.
"console.table(rows); Total visible records: 457874" โ Browser DevTools screenshot from @ni5arga's disclosure tweet, May 31, 2026
CERTIn-16590126)| # | What | Blogged? | Who's affected | How hard to exploit |
|---|---|---|---|---|
| 1 | Master password in code | โ | CBSE OSM | Easy โ visible in website code |
| 2 | Client-side OTP | โ | CBSE OSM | Easy โ browser checks it, not server |
| 3 | No login required | โ | CBSE OSM | Trivial โ just type the URL |
| 4 | Password reset w/o old one | โ | CBSE OSM | Easy โ one API call |
| 5 | ID manipulation (IDOR) | โ | CBSE OSM | Easy โ change a number in URL |
| 6 | Full server takeover | โ | CBSE production | Medium โ requires chaining vulns |
| 7 | Super admin (universities) | โ | OnMark platform-wide | Medium โ same platform flaw |
| 8 | Open S3 bucket | โ | Multiple institutions | Zero โ just a web browser |
| 9 | Payment data leak (457K+ records) | โ | Students/parents who paid | Zero โ unauthenticated API, no login needed |
The pattern is clear: the first 5 were CBSE-specific. The last 3 reveal the problem is platform-wide โ affecting every institution using the OnMark/Coempt infrastructure.
---CERT-In โ India's national cybersecurity agency โ responded with boilerplate "thank you" emails each time ni5arga reported a finding:
"CERT just sends me a boilerplate 'thank you' reply every time and it's frustrating to say the least." โ @ni5arga
CBSE issued an official statement from HQ on May 31 acknowledging a security breach and deploying cybersecurity teams โ but only after the S3 bucket disclosure went viral with 476K+ views.
---