A 19-year-old cybersecurity researcher has claimed that a test version of the Central Board of Secondary Education’s (CBSE) On-Screen Marking (OSM) portal featured a hard-coded master password capable of bypassing security measures, including OTP verification, and potentially allowing unauthorised access to examiner accounts and student marks.
Nisarga Adhikary shared details of the alleged vulnerability. According to him, the issue was identified while reviewing the backend code of the OSM test website, which was introduced for the Class 12 board examinations this year.
CBSE has firmly rejected suggestions that its operational evaluation portal was affected, clarifying that the vulnerabilities pointed out by the teenager pertained solely to a testing site containing sample data. The board maintains that the actual portal used for evaluation, hosted at a different URL, remains secure and uncompromised.
The OSM system was rolled out by CBSE for Class 12 examinations in 2026, replacing traditional manual checking with digital scanning and online evaluation of answer sheets. The board promoted it as a measure to minimise errors in totaling, reduce human intervention, and accelerate the marking process. However, the implementation has faced significant backlash from students citing problems such as unclear scans, missing pages, and discrepancies in uploaded answer sheets during re-evaluation.
Adhikary told that the portal’s frontend JavaScript code contained a literal password string. This master password, he alleged, could bypass authentication protocols and grant direct entry to the evaluation dashboard. Using publicly available examiner user IDs and school codes, one could reportedly log in without completing the OTP step.
Once inside, the researcher claimed it was possible to edit answer sheet evaluations, examiner details, and even bank information. He suggested that a malicious actor could exploit such access to alter student marks on a large scale or extract sensitive data for sale on the black market.
ALSO READ : CBSE Faces Questions Over Nationwide OSM Rollout Without Regional Trials
Adhikary also highlighted additional weaknesses, including flaws in the OTP system, an insecure password-reset mechanism that allowed account takeovers with minimal information, and around 40 broken access control issues permitting unauthorised viewing of restricted sections.
The teenager said he reported the findings to the Indian Computer Emergency Response Team (CERT-In) in February, along with technical evidence and screen recordings.
In response, CBSE emphasised that no security breach occurred in the live OSM system and that robust grievance redressal measures are in place. Adhikary countered that he accessed what appeared to be production data, including real examiner profiles.
The controversy adds to ongoing concerns surrounding the OSM rollout, including high-profile cases like that of Delhi student Vedant Shrivastava, where mismatched answer sheets were acknowledged by the board.
