![\"'Anyone](\"https:\/\/static.toiimg.com\/thumb\/msid-131420255,imgsize-36612,width-400,height-225,resizemode-4\/screenshot-2026-05-31-131016.jpg\" "\\".\\"")
<\/div>\n<\/div>\n<\/div>\n<\/section>\n<\/div><\/div>\n<\/div>\nDays after alleging security flaws in CBSE\u2019s digital evaluation system, 19-year-old ethical hacker Nisarga Adhikary has claimed that scanned answer sheets and question papers linked to the board were publicly accessible.In a post on X, Adhikary alleged that an AWS bucket containing 2026 answer sheets and question papers could be accessed without authentication. \u201cCBSE people didn’t configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too \u2014 anyone on the internet can download any scanned booklet \u2014 across institutions. Multiple institutions are using the same bucket, insanely insecure,\u201d he wrote.According to Adhikary, the issue stemmed from a cloud storage configuration that allowed users to browse and download files without logging in or providing credentials. He also claimed that multiple institutions were using the same storage bucket, increasing the scale of the alleged exposure.Screenshots shared by Adhikary appeared to show scanned answer booklets arranged in a file directory.Congress leader Jairam Ramesh shared Adhikary\u2019s post on X writing, \u201cIn today\u2019s developments on Mantri Pradhan\u2019s Ministry of Scandals, the answer sheets of 2 million CBSE Grade 12 students have been shown to be available in the public domain. This is a data breach of monumental proportions and it compromises the privacy of 2 million students,\u201d Ramesh wrote.The allegations come shortly after Adhikary claimed to have found several vulnerabilities in CBSE\u2019s On-Screen Marking (OSM) portal. In a blog post titled \u201cExposing Critical Vulnerabilities in CBSE\u2019s On-Screen Marking Portal\u201d, he said he discovered the issues on February 25 and reported them to CERT-In before making them public.\u201cI was able to log in as an examiner and reach the evaluation dashboard, where I could view and edit marks,\u201d Adhikary wrote in the blog. He also alleged that OTP verification could be bypassed and that several reported issues remained unpatched for an extended period.As the claims gained traction, users reported that the OSM portal had become temporarily inaccessible. CBSE later responded to the allegations, stating that the URL cited in social media posts was not the portal used for actual evaluation work.\u201cAt the outset, it is clarified that the Portal used for evaluation of answer-books bore a different URL, which has neither been compromised nor does it have the vulnerabilities indicated in the said social media post,\u201d CBSE said in a statement posted on X.The board further stated that the website identified by Adhikary was only a testing platform containing sample data. \u201cThere are no actual evaluation data, marks or other data held on that portal. The Board emphasises that no security breaches have come to light on the Portal deployed for the actual evaluation work,\u201d the statement added.<\/div>\n