Nisarga Adhikary, an 18-year-old researcher, found a plaintext master password in CBSE's online marking system. India's cybersecurity agency, CERT-In, allegedly ignored his February 2026 report, only for CBSE to deny the breach with a domain name mix-up. This incident highlights potential systemic gaps in vulnerability response, especially for critical education infrastructure.
How We Got Here
Adhikary reported the vulnerabilities to CERT-In shortly after February 25, 2026, receiving only a templated acknowledgement. On May 27, 2026, CBSE claimed the vulnerable URL was a "testing site" with no actual student data.
The Numbers
- The discovered vulnerabilities included a master password hidden in plain text within the frontend bundle.
- Cybersecurity researcher Karan Saini independently verified the master password's existence, archiving the JavaScript code from January 2026.
- CBSE's denial on May 27, 2026, referred to `cbse.onmarks.co.in`, a domain registered just 10 minutes prior, instead of the vulnerable `cbse.onmark.co.in` registered in 2019.
- The "On-Screen Marking" system allows digital evaluation of scanned answer sheets.
- Internet Freedom Foundation (IFF) issued a statement and emailed the Ministry of Education regarding the issue.
What Happens Next
🇮🇳 Why This Matters for India
For ed-tech founders building secure platforms for national examinations, this raises questions about government security standards and the process for reporting critical vulnerabilities.
The Take
CERT-In's alleged three-month silence after a critical vulnerability report is the bigger failure here, undermining public trust in our cyber defense system. This incident will prompt more scrutiny of government portal security for future national exams.
Source:
MediaNama ↗