Nisarga Adhikary CBSE disclosure is not a hacking story. It is a procurement story: a private vendor named M/s Coempt EduTeck Pvt. Ltd. was paid to build a portal handling 1.8 million students’ Class 12 marks, shipped it with a hardcoded master password readable in the browser, and CBSE accepted it. A teenager found the flaw 16 days after launch by opening the browser developer tools. India’s national cybersecurity body then sat on the disclosure for 90 days while evaluation happened on the same portal.

Quick Answer: Nisarga Adhikary CBSE OSM Portal 2026
  • Nisarga Adhikary, 19, from West Bengal, found five critical vulnerabilities in CBSE’s OSM portal on February 25, 2026, 16 days after the portal went live.
  • The portal, cbse.onmark.co.in, is built and operated by M/s Coempt EduTeck Pvt. Ltd. The same OnMark platform is used by multiple state boards and institutions.
  • A hardcoded master password was visible in the portal’s public JavaScript bundle, readable by anyone with a browser. No hacking tools required.
  • CERT-In received the disclosure on February 25, 2026, sent a boilerplate email, and went silent. No patch confirmation for nearly three months.
  • During those 90 days, 1.8 million Class 12 students had their answer sheets evaluated on the vulnerable portal.
  • Internet Freedom Foundation has written to the Ministry of Education and CERT-In demanding an investigation into CBSE’s contract with Coempt EduTeck.
  • If your Class 12 marks feel wrong or your answer sheet seems mismatched, file a revaluation request at cbse.gov.in immediately. Do not wait.
16 days Portal live before flaw found
5 Critical vulnerabilities found
90 days CERT-In response time
1.8 crore Class 12 students affected

What is the Nisarga Adhikary CBSE OSM portal disclosure?

How a Class 12 student read JavaScript and broke a national exam system

By a CBSE circular dated February 9, 2026, the board announced it was moving Class 12 answer sheet evaluation from physical paper to a digital On-Screen Marking system. Under OSM, physical answer sheets are scanned and uploaded to a portal at cbse.onmark.co.in, where registered examiners log in, mark them on screen, and submit scores. More than 1.8 million students appear for Class 12 examinations, per CBSE’s own enrollment data. Their marks now flow through this portal.

On February 25, 2026, sixteen days after the portal went live, Nisarga Adhikary, a 19-year-old cybersecurity researcher from West Bengal who had just finished his own Class 12 exams, noticed the portal link was public and opened the JavaScript that the browser was downloading. He did not use any hacking tools. He read the code. What he found, and reported to CERT-In the same day, was a portal that could be described without technical exaggeration as having been shipped with the front door unlocked and the key taped to the window.

The vendor nobody is naming
M/s Coempt EduTeck Pvt. Ltd.

CBSE’s OSM portal operates on the OnMark platform built by Coempt EduTeck Pvt. Ltd., a private vendor. The same OnMark platform is used by multiple state boards and educational institutions across India, per Nisarga Adhikary’s own blog post. The Internet Freedom Foundation has formally written to the Ministry of Education demanding a review of CBSE’s contract with this vendor. No other major outlet has reported on the vendor by name.

Why did the CBSE OSM portal have a hardcoded master password in 2026?

Five vulnerabilities. One JavaScript file. Zero server-side validation.

The five vulnerabilities Nisarga found are not sophisticated. They are the kind of flaws that a competent security audit, run before any portal handles 1.8 million students’ marks, would catch in a first pass. That no such audit appears to have been conducted, or that its findings were ignored, is the story underneath the story.

Flaw 01
Hardcoded Master Password
A literal password string embedded in the publicly accessible JavaScript bundle. Anyone reading the code could use it to bypass the OTP and authentication system entirely. Required only an examiner’s user ID and school code to exploit.
Critical
Flaw 02
Client-side OTP Validation
OTP authentication was validated in the user’s browser, not on the server. This means the security check could be bypassed without ever contacting the server. A fundamental architecture failure.
Critical
Flaw 03
Broken Access Controls / IDOR
By changing examiner ID numbers in browser URL parameters, an attacker could access other examiners’ accounts and evaluation records. No server-side check verified that the logged-in user matched the requested resource.
Critical
Flaw 04
Password Reset Without Verification
The password reset mechanism allowed changing an examiner’s credentials without verifying the old password. Combined with IDOR, this enabled full account takeover of any registered examiner.
High

Combined, flaws 01 through 04 enabled what the Internet Freedom Foundation described in its letter as “complete takeover of any examiner account and, by extension, the alteration of marks at scale.” This was not a theoretical risk. The portal was live. Examiners were actively marking answer sheets.

“Not a hash, not a token reference, but the literal password string.”

— Nisarga Adhikary, describing the hardcoded master password, personal blog ni5arga.com, May 22, 2026

What did CERT-In and CBSE say about the Nisarga Adhikary disclosure?

Boilerplate email. 90 days. A student blog goes viral. Then the Ministry steps in.

CERT-In, India’s national cybersecurity response body under the Ministry of Electronics and Information Technology, received Nisarga’s full disclosure on February 25, 2026. Per the IFF account of events, CERT-In acknowledged receipt with a boilerplate email and then went silent. No patch confirmation. No communication. No public advisory. For nearly three months, the vulnerabilities remained unpatched. Class 12 evaluation, scheduled under CBSE’s February 9 circular, proceeded on the same portal during this window.

On May 22, 2026, Nisarga published his findings on his personal blog and shared them on X. Tech entrepreneur Deedy Das amplified the post, and it went viral within hours. CBSE has not publicly confirmed or denied any breach. The Education Ministry has since announced it will oversee CBSE Class 12 evaluation. IIT experts and public sector banks have been called in to audit the OSM system. That it took a teenager’s blog post to trigger government action that CERT-In’s disclosure process should have triggered three months earlier is the failure the IFF letter puts on record. As TNT News Buzz documented in the NEET refund portal activation case in May, India’s examination system has a documented pattern of digital infrastructure failures meeting institutional silence.

Timeline: from disclosure to public crisis

February 9, 2026
CBSE circular announces shift to digital On-Screen Marking for Class 12. Portal goes live at cbse.onmark.co.in, operated by M/s Coempt EduTeck Pvt. Ltd.
February 25, 2026
Nisarga Adhikary, 19, discovers five critical vulnerabilities in the OSM portal’s public JavaScript. Reports all findings to CERT-In the same day with full technical details.
March to May 2026
CERT-In sends one boilerplate acknowledgement email. No follow-up. No patch confirmation. No advisory. Class 12 evaluation proceeds on the vulnerable portal. 1.8 million students’ marks are processed.
May 22, 2026
Nisarga publishes findings publicly on ni5arga.com. Tech entrepreneur Deedy Das amplifies on X. Story goes viral. CBSE and CERT-In face public pressure for the first time.
May 26-27, 2026
Internet Freedom Foundation writes to Ministry of Education and CERT-In. Education Ministry announces oversight of CBSE evaluation. IIT experts and public sector banks called in to audit OSM.

What does this mean for CBSE Class 12 students: 2026 guide

STUDENT ALERT

If your Class 12 marks appear incorrect or your answer sheet shows a mismatch with your handwriting, file a revaluation or verification request immediately at cbse.gov.in. Do not assume errors will be corrected automatically.

CBSE has not confirmed any verified breach or confirmed mark alteration. However, the portal’s vulnerabilities were known and unpatched during the evaluation window. If you have received markedly low scores that do not reflect your performance, document the discrepancy and pursue the official grievance mechanism.

IFF’s letter to the Ministry is public record. Reference it if you face resistance in the revaluation process. The IFF letter is available at internetfreedom.in.

One vendor. Multiple boards. One set of flaws. Zero public audit.

The most consequential fact in this story is one that every other outlet has mentioned in passing and none has pursued: Coempt EduTeck’s OnMark platform is not exclusively used by CBSE. Nisarga’s own blog post confirms the same platform is deployed across multiple boards and institutions. If the CBSE instance of OnMark shipped a hardcoded master password in its public JavaScript, the question is not only whether CBSE’s marks were at risk. The question is which other board’s marks ran through the same codebase, and whether those instances carry the same class of vulnerabilities.

IFF’s letter demands a review of CBSE’s contract with Coempt EduTeck. It does not appear to have demanded an audit of every other institution using OnMark. That gap is where 90 days of CERT-In silence leaves the country: knowing a private vendor shipped a broken product to a national examination board, while the same vendor continues to serve other boards, with no public audit, no mandatory disclosure, and no statutory deadline forcing CERT-In to respond. The specific question that neither CBSE, CERT-In, nor the Ministry of Education has answered: who approved Coempt EduTeck’s OnMark platform for national examination use, what security testing was required before that approval, and who signed off on the contract?

Related Reading
NEET 2026 Refund Portal
Education · May 21
NEET Refund 2026: NTA Activates Portal, Category-wise Amounts and Steps to Claim
India’s exam infrastructure in crisis mode again: how NTA activated the refund portal and what students need to do.
Read the guide →
Mahoba NEET 2026
Analysis · May 20
Mahoba NEET Case 2026: She Was Held Captive on Exam Day and NTA Has No Answer
The accountability gap in India’s exam system: when institutions design policies that have no answer for what actually happens to students.
Read the analysis →
Frequently Asked Questions
Who is Nisarga Adhikary and what did he find in the CBSE portal?
Nisarga Adhikary is a 19-year-old cybersecurity researcher from West Bengal who had just finished his own Class 12 exams when he discovered five critical vulnerabilities in CBSE’s On-Screen Marking portal in February 2026. He found a hardcoded master password in the portal’s publicly accessible JavaScript, OTP bypass flaws, broken access controls, and an IDOR vulnerability that together allowed full takeover of any examiner account and potential alteration of student marks.
What is the CBSE OSM portal and who built it?
The CBSE On-Screen Marking portal at cbse.onmark.co.in is used to digitally evaluate Class 12 board exam answer sheets. CBSE announced the shift to digital evaluation by a circular dated February 9, 2026. The portal operates on the OnMark platform of M/s Coempt EduTeck Pvt. Ltd., a private vendor whose platform is also used by multiple state boards and institutions across India.
What is a hardcoded master password and why is it dangerous?
A hardcoded master password is a credential embedded directly in application code rather than stored securely on a server. In the CBSE OSM case, the literal password string was visible inside the portal’s publicly accessible JavaScript files, readable by anyone who opened the browser’s developer tools. Anyone with an examiner’s user ID and school code could use it to bypass OTP authentication and access examiner accounts.
Why did CERT-In not respond to Nisarga Adhikary’s disclosure for 90 days?
CERT-In, India’s national cybersecurity response body, acknowledged Nisarga Adhikary’s February 25, 2026 disclosure with a boilerplate email and then went silent, per the Internet Freedom Foundation. No patch confirmation, no follow-up, and no public advisory was made for nearly three months, during which Class 12 evaluation was conducted on the vulnerable portal.
Are CBSE Class 12 student marks affected by the OSM portal vulnerabilities?
CBSE has not confirmed any verified breach or mark alteration. However, 1.8 million Class 12 students had their answer sheets evaluated on the OSM portal during the 90-day window when vulnerabilities were known but unpatched. Multiple students have separately raised complaints about answer sheet mismatches, blurred scans, and incorrect marks. The Education Ministry has assumed oversight and IIT experts and public sector banks have been called in to audit.
Is it legal for a student to probe government exam portals for security flaws in India?
India has no formal vulnerability disclosure policy protecting ethical hackers. Sections 43 and 66 of the IT Act 2000 could technically apply to unauthorized computer access regardless of intent. IFF argues Nisarga acted in public interest through responsible disclosure and has written to the Ministry demanding protection for him and reform of India’s disclosure framework.
What is IFF demanding from the Ministry of Education and CERT-In?
The Internet Freedom Foundation has written to the Secretary, Department of School Education and Literacy, and the Director General of CERT-In, seeking an investigation into CBSE’s conduct, a review of CBSE’s contract with OSM vendor M/s Coempt EduTeck Pvt. Ltd., and systemic reform of India’s coordinated vulnerability disclosure process to include statutory response timelines for CERT-In.
Sources
  1. When the Exam Itself Can Be Hacked: IFF Writes to Ministry of Education and CERT-In Internet Freedom Foundation, May 2026
  2. Exposing Critical Vulnerabilities in CBSE’s On-Screen Marking Portal Nisarga Adhikary, ni5arga.com, May 22, 2026
  3. How a 19-year-old student hacked CBSE’s OSM portal, exposed vulnerabilities The Print, May 2026
  4. CBSE OSM Portal Under Lens After Hacker Claims to Bypass Security Measures Careers360, May 2026
  5. CBSE Official Portal — Revaluation and Grievance Mechanism Central Board of Secondary Education, cbse.gov.in
TNT News Buzz

Independent Indian news and analysis that goes beyond the headline.

tntnews.buzz  |  contact@tntnews.buzz