Mumbai, May 27: A 19-year-old student, Nisarg Adhikari, has claimed that he successfully hacked into the Central Board of Secondary Education (CBSE) website, highlighting significant security flaws. Nisarg, a cybersecurity researcher, shared his findings on a blog that was later posted by entrepreneur DD Das on Twitter.
In his blog, Nisarg mentioned that he alerted the Indian government’s cybersecurity agency, CERT-In, about these vulnerabilities back in February 2026. He pointed out that sensitive data related to board exams could be accessed without any password, indicating a serious lapse in security protocols.
On May 22, Nisarg’s post claimed that the CBSE’s online marking portal had multiple weaknesses, and despite his earlier alert, no action had been taken by the authorities. DD Das amplified the discussion on Twitter, stating that anyone could view or alter the marking scheme on the CBSE website.
Nisarg explained that the CBSE’s Online Marking (OSM) portal, where teachers check answer sheets, was entirely public. He was astonished to find that the coding system allowed easy access to sensitive information. The login page required only a user ID, school code, and password, followed by an OTP. However, he discovered that the master password was openly available in the coding, eliminating the need for an OTP.
This vulnerability could allow anyone to access an examiner’s account with just a user ID and school code, which are readily available online. Nisarg noted that the application lacked proper internal protection routes, making it easy to view dashboards and profiles through browser storage.
Moreover, he pointed out that the OTP system was merely a facade, as the OTP could be viewed directly on the website, enabling users to log in without entering the OTP. Following DD Das’s tweet, the CBSE portal has become a hot topic among users, raising concerns about the security of an examination system that affects millions of students across India and abroad.