The Central Board of Secondary Education (CBSE) is facing questions over the security of its online portal after a student’s detailed claims about alleged vulnerabilities and backend access began circulating widely on social media and Reddit.
The matter surfaced at a time when thousands of Class 12 students were already struggling with glitches on the CBSE portal used for applying for scanned copies of the answer sheet. Over the past few days, students have reported wrong answer sheets, payment failures, unusual fee amounts, delayed application updates, and repeated login issues.
What initially appeared to be a technical glitch soon snowballed into a larger debate after a 19-Year-Old Reddit user claimed he had discovered security loopholes in the system and was allegedly able to access parts of the portal’s admin controls.
Student explains what he found
The student, who goes by the name Nisarga (official name), is a cybersecurity researcher and a recent Class 12 graduate who claimed he did not steal any information or misuse the access but decided to publicly raise concerns after allegedly receiving no response from authorities.
Speaking to The Free Press Journal, the student explained that he first came across the On Screen marking (OSM) portal link through a publicly available news article. “I’ve been doing ethical hacking stuff for a long time, so the portal naturally sparked my curiosity,” he said.
He claimed that while inspecting the portal’s JavaScript code and network requests through browser developer tools, he allegedly found sensitive authentication mechanisms exposed in the frontend code itself.
According to him, a “master password” appeared to be hardcoded inside the client-side JavaScript bundle, which he claimed could bypass the OTP-based login system.
“Several security checks were happening only on the client side instead of the server side, which meant they could be bypassed very easily,” he alleged.
The student further claimed that the vulnerabilities allegedly allowed access to teacher accounts, evaluator details, and even the ability to edit marks or reset passwords.
He also alleged that, at one stage, personal details such as student names, addresses, phone numbers, and parents’ names were visible through the portal backend.
Along with the other crucial details like IFSC code, Bank Account, and other Payment information.
Claims of login bypass and account takeover
The student shared portions of emails that he said were sent to the Indian Computer Emergency Response Team (CERT-In) and CBSE three months roughly around 25 Feb 2026.
In the emails he sent nearly three months ago, he reportedly described multiple alleged vulnerabilities, including OTP bypass issues, weak route protections, and insecure API calls.
He further claimed that some login protections could allegedly be bypassed simply through browser developer tools because validation checks were happening on the client side.
Another serious allegation involved what he described as “systemic IDOR vulnerabilities", flaws that could allegedly allow users to modify account details by changing values stored in browser session data.
The student claimed he reported the issues responsibly and even shared screen recordings with CERT-In. According to him, CERT-In acknowledged the complaint through an automated response, but no detailed follow-up was received later.
“I tried contacting CBSE separately, but they didn’t respond,” he said.
Students reported strange payment changes
Similarly, according to various posts shared online, students on May 21 noticed unusual differences in the pricing displayed on the portal while applying for scanned answer books. Some claimed the amount changed by Rs 1, while others reported seeing figures like Rs 69.67 instead of the standard fee.
Soon after the students' allegation over the X, CBSE has assured the students that they will receive refunds automatically. CBSE stated that any excess amounts deducted will be credited back using the same payment method used during the transaction.
In cases where candidates were charged less than the required amount, the board stated that separate communication will be sent to the affected students regarding payment of the remaining balance, if necessary.
Education Ministry brings in IIT Madras experts
As concerns over the portal continued to grow, the Union Ministry of Education on Sunday directed the engagement of technical experts from the Indian Institute of Technology Madras and the Indian Institute of Technology Kanpur to assist CBGSE in resolving the ongoing issues.
The move comes after repeated complaints from students and parents regarding portal stability, payment failures, login access problems, and disruptions in post-result services.
According to the official statement issued by the Press Information Bureau, Union Education Minister Dharmendra Pradhan instructed that a team of professors and technical experts from IIT Madras and IIT Kanpur be deputed to support CBSE in strengthening its digital infrastructure.
The expert team will reportedly examine all technical issues linked to this year’s post-examination services, including server stability, authentication system, payment gateway reliability, user actress workflows, and overall backend infrastructure.
The IIT Madras team has also been tasked with carrying out a broader assessment of CBSE’s IT systems and recommending both immediate and long-term corrective measures.
The Ministry stated that the intervention is aimed at making the system more transparent, efficient, and student-friendly while ensuring smoother functioning of post-result services in the future.
Officials added that student interests remain the top priority and necessary improvements would be implemented as quickly as possible.
IIT Madras says team will conduct root-cause analysis
When contacted by The Free Press Journal, IIT Madras confirmed that a team with experience in handling large-scale digital infrastructure would assist the board.
“Couple of faculty/staff will be deputed who have experience in handling large-scale web portals and related hardware/software infrastructure,” the institute said.
It further added that the team’s immediate focus would be on identifying the root cause behind the disruptions and recommending quick remedies wherever required.
“Their primary role is to perform a root-cause analysis and suggest quick remedies, if needed, followed by long-term solutions that will ensure a robust platform for the children. The duration will depend upon the root causes identified. They will be associated till the platform becomes robust,” IIT Madras said.
Free Press Journal has reached out to the CBSE board regarding the matter. However, till the time of publishing this article, no official response had been received.”
Questions over security oversight
While CBSE has not publicly commented on the specific allegations made by the student, the incident has triggered concerns among students and parents about the safety of sensitive educational data hosted on government-linked portals.
At present, it remains unclear whether the alleged vulnerabilities were independently verified or whether a formal investigation has been initiated into the claims circulating online.
