CBSE Admits Security Gaps in Online Marking Portal After Ethical Hackers Expose Vulnerabilities Twice
The Central Board of Secondary Education has acknowledged significant security vulnerabilities in its On-Screen Marking (OSM) portal — the digital platform used to evaluate Class 10 and Class 12 board examination answer sheets — after ethical hackers exposed flaws in the system on at least two occasions. In a marked U-turn from its initial denial, the board posted on X (formerly Twitter) thanking the ethical hackers and confirming that government-appointed and IIT security experts have been deployed for a comprehensive overhaul.
The admission comes during an already turbulent examination season that has seen public trust in India’s educational assessment infrastructure shaken by multiple controversies, including the Supreme Court rapping NTA over NEET-UG 2026 cancellation following paper leak allegations.
The Hacking Incidents — What Actually Happened
The controversy began in late February 2026 when a cybersecurity researcher posted screenshots on social media showing that the CBSE OSM portal bearing the URL cbse.onmarks.co.in had been compromised. The researcher demonstrated access to internal databases, teacher login credentials, and sample answer sheet images — raising immediate concerns about the integrity of the evaluation process that affects over 38 lakh students annually.
CBSE initially dismissed the claim, stating on 26 February that the compromised portal was merely an internal testing site containing sample data and not the operational evaluation platform, which used a different URL. The board specifically said: “The URL: cbse.onmarks.co.in was neither used for actual evaluation nor does it contain real student answer sheets.”
However, a second incident in mid-May proved harder to dismiss. A different group of security researchers identified vulnerabilities in what they claimed was the production environment, including SQL injection flaws, insecure API endpoints, and plaintext storage of evaluator credentials. These findings were reported to CERT-In (Indian Computer Emergency Response Team), which confirmed that the vulnerabilities were legitimate and required immediate remediation.
CBSE’s Reversal — From Denial to Acknowledgement
In its latest statement posted on Saturday, CBSE struck a dramatically different tone. “The board acknowledges that certain security gaps were identified in the OSM infrastructure by cybersecurity researchers and ethical hackers. CBSE thanks these individuals for bringing such weaknesses to attention in a responsible manner,” the statement read.
The board confirmed that a multi-layered security audit is now underway, led by experts from the Ministry of Electronics and Information Technology (MeitY), IIT Delhi’s cybersecurity research group, and CERT-In. The audit covers the production OSM portal, all associated databases, communication channels between examiners and the central server, and the digital workflow for answer sheet distribution and grade compilation.
CBSE Controller of Examinations Dr. Sanyam Bhardwaj assured parents and students that no actual student marks or answer sheets were compromised during either incident. “The evaluation data for the 2026 examinations was processed on an air-gapped system with additional encryption layers. The vulnerabilities identified were in peripheral systems, not the core evaluation engine,” he stated.
Why This Matters — Scale and Stakes of Digital Evaluation
The OSM system is not a peripheral tool — it is the backbone of CBSE’s evaluation process. Approximately 5,000 examiners across the country log into the platform to evaluate digitised answer sheets, assign marks, and flag discrepancies. In the 2026 examination cycle, over 1.5 crore answer sheets across 76 subjects were processed through the system. A successful compromise of the production platform could theoretically allow alteration of marks, manipulation of grading curves, or exposure of student performance data.
Cybersecurity experts have been particularly critical of the technical choices underlying the OSM infrastructure. Rajshekhar Murthy, a principal security architect at DSCI (Data Security Council of India), noted that several of the reported vulnerabilities — including SQL injection and insecure authentication — are “well-understood attack vectors that should not exist in any system handling sensitive educational data in 2026.”
“The fact that AI coding tools transforming enterprise workflows in India can detect these flaws automatically makes the oversight even more inexcusable. Basic application security testing would have caught these issues before deployment,” Murthy added.
The Broader Pattern — India’s EdTech Security Crisis
The CBSE episode fits into a broader pattern of cybersecurity failures across India’s education sector. In 2024, the National Testing Agency faced allegations that its systems were compromised during the NEET-UG examination, leading to a nationwide cancellation and re-examination. The Common University Entrance Test (CUET) platform experienced multiple crashes in both 2023 and 2024. State-level examination boards in Rajasthan, Madhya Pradesh, and Bihar have all reported security incidents over the past three years.
The underlying problem, according to policy analysts, is that India’s examination infrastructure has been digitised rapidly without proportionate investment in cybersecurity. “We have moved 40 million answer sheets from physical to digital evaluation in under five years, but the cybersecurity budget for examination boards has barely increased. The result is systems that are digital in form but analogue in their security architecture,” observed Professor Anurag Mehra, who heads IIT Bombay’s Centre for Technology Alternatives for Rural Areas but has consulted on education technology infrastructure.
The issue also raises questions about data protection under the Digital Personal Data Protection Act (DPDPA) 2023. Student examination data — including answer sheets, marks, and personal identification information — constitutes sensitive personal data under the Act. If the OSM portal vulnerabilities extended to production systems, CBSE could face regulatory scrutiny from the upcoming Data Protection Board for failing to implement adequate security safeguards.
What Happens Next — Security Overhaul Timeline
The MeitY-IIT audit is expected to be completed by mid-June, with a remediation plan to be implemented before the 2026-27 examination cycle begins. Key measures being discussed include mandatory penetration testing before each examination cycle, two-factor authentication for all evaluators, end-to-end encryption of answer sheet data, and real-time anomaly detection using machine learning algorithms.
CBSE has also announced the creation of a permanent Cybersecurity Cell within the board’s IT division, staffed by full-time security professionals rather than the current arrangement where security is managed by the same team responsible for general IT operations. The cost implications are significant — with technology infrastructure costs escalating across enterprises — but the board has acknowledged that the alternative is an erosion of public trust that no educational institution can afford.
For the millions of students and parents awaiting CBSE results in June, the board’s assurance that actual marks were not compromised will be closely scrutinised. Trust, once broken in education systems, takes years to rebuild.
- CBSE Admits Security Gaps in Online Marking Portal After Ethical Hackers Expose Vulnerabilities Twice - May 31, 2026
- The AI Cost Reckoning Has Arrived — Microsoft Cancels Claude Code Licenses as Uber Burns Entire Annual AI Budget in Just Four Months - May 30, 2026
- OpenAI Codex Adoption in India Surges 27x in 2026 — Country Enters Global Top Five as AI Coding Tools Transform Enterprise Workflows - May 30, 2026
