Nisarga Adhikary had just finished his own Class 12 board exams when he noticed something odd about CBSE's new grading portal. The portal, launched in February 2026, was publicly accessible. So he opened the source code.
What he found inside took less than an hour to uncover. A master password sitting in plain text inside a public JavaScript file. An OTP verification system that handed you the secret code before you'd even proved you received it. Internal pages that anyone could walk straight into without logging in at all. A password reset function that never actually checks your old password. And an entire API architecture that let you impersonate any examiner by changing a single value in your browser.
Five vulnerabilities. 1.8 million Class 12 students whose marks were being processed on this system. And one 19-year-old who did the right thing: he documented everything, made screen recordings, shot walkthrough videos, and filed a detailed report with CERT-In, India's national cybersecurity watchdog, on 25 February 2026.
CERT-In sent back a template email. Then said nothing for three months.
What the CBSE Portal Hack Actually Was
Before getting into the silence, it's worth understanding what Nisarga actually found. Because "cybersecurity vulnerability" can sound abstract. These were not abstract.
Vulnerability one: the master password. The CBSE's On-Screen Marking portal is built as an Angular single-page application, which means its entire logic ships as a JavaScript bundle that anyone can download from the public URL. Inside that bundle, not encrypted, not hashed, just sitting there in readable text, was a master password. Enter that string at the login screen and the OTP verification step vanished. You were in. The only skill required was opening the browser console.
Vulnerability two: the OTP system was theatre. When users triggered the two-factor authentication flow, the server sent the OTP back inside the login response payload. The JavaScript then compared what you typed against the code it had just received locally, in your browser, with no server checking anything. Anyone watching the network tab could read the code directly. Or skip the form and tell the app the check passed.
Vulnerability three: the internal pages had no guards at all. Navigate directly to /dashboard or /evaluatordetails and seed a handful of fake values into browser storage, which takes seconds in Chrome DevTools, and you were inside the evaluation system. No credentials. No authentication. Just paste a URL and press enter.
Vulnerability four: the password reset didn't verify identity. The form asked for an old password, as it should. But when Nisarga looked at the actual API request being sent, the old password wasn't in it. The server accepted whatever new password was submitted for whatever account was specified, no questions asked.
Vulnerability five: the entire API trusted you to tell it who you were. Nearly every API call read the acting user's identity from browser session storage, which any user can freely edit. Change one value, and every subsequent request executes as that examiner. Combine this with vulnerability four and you have a complete chain: pick any examiner's ID, reset their password through the API, log in legitimately, and access their assigned answer scripts.
As Nisarga put it: "None of this required sophisticated exploitation. The hardest part was reading a JavaScript file and editing a couple of values in DevTools."
Three Months of Silence
CERT-In's mandate, under Section 70B of the IT Act 2000, is explicitly to coordinate responses to cybersecurity incidents and vulnerabilities. Nisarga had handed them everything. Detailed written documentation. Screen recordings. Walkthrough videos showing each flaw step by step. He followed up multiple times.
The vulnerabilities remained live and unpatched through the entire evaluation season for 1.8 million Class 12 board exam students.
On 22 May 2026, having given the system three months to act, Nisarga published his findings publicly. The story went viral within days. Tech entrepreneur Deedy Das amplified it on X. The Internet Freedom Foundation wrote to the Ministry of Education demanding an investigation. Education Minister Dharmendra Pradhan announced that IIT Madras, IIT Kanpur, and IIT Chennai would review the portal.
CBSE's own response to the disclosure was to claim the portal Nisarga had accessed was a "testing environment with sample data." Nisarga pointed out that the URL CBSE cited in its statement wasn't even a real domain.
The Vendor Nobody Should Have Hired
Here is where it gets worse.
The company that built the CBSE OSM portal, M/s Coempt EduTeck Pvt. Ltd., is the renamed avatar of Globarena Technologies Private Limited. In 2018, the Telangana State Board of Intermediate Education awarded Globarena a three-year contract to digitise its examination processes.
On 18 April 2019, when results were declared, 3.5 lakh students were shown as failed. 3 lakh of those results had discrepancies. Students who scored 99 marks were shown 0. Students were marked absent despite sitting the exam. Twenty students died by suicide.
The Telangana High Court described the disaster as "as grave as 9/11 and the tsunami." A three-member committee, including experts from BITS Hyderabad and IIT Hyderabad, concluded that Globarena's software was responsible. They recommended replacing it entirely.
When asked about the deaths, Globarena's CEO, VSN Raju, said: "These kinds of errors happen every year, but this year it got politicised."
"These kinds of errors happen every year, but this year it got politicised."
Globarena did not face serious legal consequences. It changed its name. First to Globarena iTeknowledge Private Limited, then to Coempt EduTeck Private Limited. And then, in early 2026, it was awarded the CBSE contract to handle the marks of 1.8 million students in a system whose JavaScript bundle contained a hardcoded master password.
The question nobody has answered: Did CBSE's empanelment process check whether Coempt EduTeck and Globarena were the same company? If yes, who approved the contract anyway? If no, what exactly is the empanelment process checking?
This Is Not an Isolated Incident
The CBSE portal hack sits inside a pattern that has been building for years. A parliamentary standing committee report from December 2025 found that of 14 major NTA examinations in 2024, at least five faced serious problems.
NEET UG 2024 was taken by over 24 lakh candidates. The Bihar Police arrested 13 people and found the paper had been sold for ₹30-32 lakh per candidate, 24 hours before the exam. 67 students topped NEET that year. 50 of them had received grace marks. Education Minister Pradhan's statement at the time: "There is no evidence of a paper leak in NEET-UG. The NTA is a very credible body."
UGC-NET June 2024 was cancelled the day after 9 lakh students sat it. The paper had been found circulating on the Darknet. The CBI investigated. It filed a closure report claiming no irregularities. A Delhi court asked for a written explanation. The CBI asked for more time.
NEET UG 2026 was cancelled nine days after the exam. 22.79 lakh students. A "guess paper" containing dozens of questions from the actual exam had been circulating before the exam date. The same geographic hotspots from 2024 appeared again. The refund bill exceeded ₹300 crore, borne by public funds. The NTA Director General told the Parliamentary Standing Committee that the paper had "not been leaked through their system."
The same minister who denied any leaks for seven years confirmed a Darknet leak weeks later. The same criminal networks that leaked NEET 2024 reportedly leaked NEET 2026. The same CBI that closed one exam case without a conviction is investigating the next.
What This Actually Costs
It is worth being direct about what "exam fraud at scale" means in practice.
India's NEET coaching industry is estimated at ₹10,000-15,000 crore annually. Families in Kota and Patna spend ₹5-15 lakh over two years preparing their children through legitimate study. Those families are competing against candidates whose parents paid ₹32 lakh directly to a criminal network for the answer key the night before.
The paper leak economy runs on organised crime. A single NEET operation serving 100 candidates generates over ₹300 crore in criminal revenue. The CBI's consistent failure to secure convictions, despite arrests and evidence, is not bureaucratic inefficiency. It is a pattern.
And every additional scandal erodes something harder to rebuild than a portal or an exam: the belief that the result on the screen reflects what you actually know. When students and families cannot trust the outcome, two years of study and a family's savings collapse into a single question. Was any of this real?
The Questions That Need Answers
The IIT audit announced by the Education Minister will look at the portal. That is not enough.
Who at CBSE cleared Coempt EduTeck's vendor empanelment? Was the company's prior history disclosed in the tender? What security audit was conducted before a national exam system went live with a hardcoded password in its public JavaScript?
Who at CERT-In is accountable for receiving a detailed vulnerability report with video evidence in February and responding to none of the follow-ups for three months?
Why are the same geographic networks that sold NEET 2024 still operational in 2026? What specific action was taken between those two years to disrupt them?
How many people have been convicted under the Public Examinations (Prevention of Unfair Means) Act 2024, which carries up to ten years in prison? The estimated conviction rate for exam malpractice is 5-10%. A law that does not result in convictions is not a deterrent. It is a press release.
A 19-year-old who had just finished his own board exams found what CBSE's vendor missed entirely and what CERT-In refused to act on. In under an hour. That fact alone tells you what institutional accountability looks like right now in Indian education.
The system is not failing because the problems are too complex to solve. It is failing because the people responsible for solving them have not been held accountable for the failure. Not yet.
