NEW DELHI: The Central Board of Secondary Education (CBSE) has responded to the allegations made by cybersecurity researcher Nisarga Adhikary, who claimed that scanned Class 12 answer sheets and question papers were publicly accessible online due to an insecure cloud storage configuration.
The issue came to light after the ethical hacker shared screenshots and technical details on social media alleging that an Amazon Web Services (AWS) bucket linked to examination records lacked proper authentication.
The claims triggered concerns among students, parents, and cybersecurity experts regarding the security of confidential academic records and the handling of digital examination infrastructure.
“CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned booklet — across institutions. Multiple institutions are using the same bucket, insanely insecure,” Adhikary posted on social media platform X.
CBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned… pic.twitter.com/Jy6MMyHzbP
— nisarga (@ni5arga) May 31, 2026
Screenshots shared online appeared to show scanned answer booklets from the 2026 examinations allegedly accessible through the portal.
A sample answer booklet circulating online showed multiple scanned pages, including handwritten responses, evaluation sheets, and blank continuation pages reportedly accessed through the exposed storage system.
Vulnerabilities contained, says CBSE
Responding to the allegations, CBSE said, “We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain.”
The board added that “an expert team of cybersecurity professionals” from various government departments and IITs had been deployed to strengthen the systems. CBSE further stated, “The identified vulnerabilities have been contained, and other exploitable weaknesses are being ruled out.”
We have been closely monitoring the vulnerabilities in the OnMark portal of our service provider that are being flagged in the public domain. An expert team of cybersecurity professionals has been deployed over the last few days from across various arms of the government as well…
— CBSE HQ (@cbseindia29) May 31, 2026
The board also thanked “alert citizens and ethical hackers” for reporting such issues and requested others to share security-related inputs through its official channels.