After days of denial, the Central Board of Secondary Education (CBSE) has finally acknowledged security "vulnerabilities" in Onmark, the portal used by teachers this year to evaluate scanned answer sheets of Class 12 exams.
The acknowledgment follows a series of security loopholes reported by young ethical hackers, who also shared evidence on social media.
Security vulnerabilities have been identified in at least nine domains related to CBSE's On-Screen Marking (OSM) system, introduced this year for Class 12 exam evaluation. These include cbse.onmark.co.in, cbse1-cbse6.onmark.co.in (six seemingly mirror portals), cbseosm.onmark.co.in, and cbseprod.onmark.co.in.
Most of the security loopholes were initially detected on cbse.onmark.co.in, and many of them were found on its mirror portals as well. All of these sites are currently inaccessible.
A lot of technical language has been used to describe these loopholes. Let's break them down in simple terms.
Allegations Simplified
Allegation 1: Master Password Left in Portal
Cybersecurity researcher Nisarga Adhikary shared with NDTV a video recording showing a plaintext password in the code of the main website, cbse.onmark.co.in - the most serious threat reported.
However, the site did not contain the hardcoded password on March 3, 2026, according to NDTV's analysis of an archived version of its source code, suggesting it had been fixed by then. Some mirror portals, versions of whom are available on internet archives, also did not contain the password by late March.
What it means: Leaving master password in a portal's source code is like leaving your house key right outside the front door. Even a non-technical user could inspect the website's source code and obtain the master password. With this, they would only need a genuine evaluator's user ID to access the system and potentially change marks assigned to that evaluator.
It is unclear whether the system allowed mark edits outside the official evaluation window, which is an important safeguard if present.
Allegation 2: OTP Validation Done Entirely Client-Side
What it means: OTP (One-Time Password) is a common two-step verification method used to ensure that unauthorised users cannot log in even if they have valid credentials. As standard practice, OTPs are sent to the registered user's phone or email ID and must be entered manually to prove identity.
Adhikary claimed this safeguard could be bypassed at cbse.onmark.co.in. In his demonstration, the OTP appears to be auto-filled when the master password is used. This would mean that the server sends the OTP directly to the browser instead of sending it to the user's email or phone.
However, publicly available tutorial videos suggest that normal users still need to manually enter OTPs.
This suggests the vulnerability may only apply if someone has access to the master password.
Allegation 3: Password Change Without Current One
What it means: Most platforms require users to enter their current password before changing it.
In this case, the researcher claimed the portal allows a password change without verifying the old password. Traffic analysis suggested that the current password may not be validated server-side.
If true, this could allow an unauthorised user to reset an evaluator's password and lock them out.
(Image: Still from video shared by Adhikary shows the OSM dashboard containing personal information of a teacher from Madhya Pradesh, who told NDTV he had participated in mock drills, but in actual evaluation process.)
Allegation 4: No Route Guards
What it means: Think of a government office where you are supposed to enter only one specific room, but no one stops you from entering others.
Similarly, the system may not strictly restrict access to internal pages. According to the researcher, sensitive pages and files could be accessed or modified due to weak authentication controls.
Allegation 5: Improper AWS Bucket Configuration
What it means: CBSE stored scanned answer sheets on Amazon Web Services (AWS). However, the configuration may not have been properly secured.
This could mean anyone on the internet could potentially access or download students' answer sheets, raising concerns about privacy and data misuse.
(Image: Screenshot of an alleged cloud storage hosting scanned copies of answer sheets of CBSE Class 12th exam 2026)
CBSE Faces Questions
Opposition leaders, activists, and citizens have criticised CBSE for alleged negligence and a laid-back approach to application security. Some have also questioned whether undue preference was given to Hyderabad-based Coempt Edu Pvt Ltd.
CBSE officials didn't respond to NDTV's questions regarding the alleged irregularities. A former senior CBSE official said that applications developed by third parties typically undergo rigorous internal testing before deployment.