NTA Re-Examination Portal, DigiLocker Bypassed; JEE Advanced Data Exposed Amid CBSE OSM Row

Jagran Correspondent Ritika Mishra | Amidst cybersecurity concerns surrounding the CBSE's On-Screen Marking (OSM) system, technical flaws have now been detected in the National Testing Agency (NTA) re-examination portal and DigiLocker. JEE Advanced 2026 candidate data has also been leaked to highlight the vulnerability of the key education system.

Researcher Bypassed Superadmin Login And Gain Access To The Dashboard

Dubai-based cybersecurity researcher Rylen Anil claimed to have discovered a serious security flaw in the NTA's official re-examination portal, allowing him to bypass the superadmin login and gain access to the dashboard.

'Extremely Weak Credentials'

Anil, in a post on the internet media platform X, wrote that extremely weak credentials were used on the portal, making it possible to gain superadmin access. Credentials refer to the login ID (username) and password. These are your account credentials or credentials that you use to securely log in to a website, app, or system.

JEE Advanced 2026 candidate/result infrastructure (https://t.co/6mBpjkxH01) had a public cloud storage misconfiguration exposing bulk candidate data without auth.

This exposed ~179.6k result records and ~187.3k admit-card PDFs, including candidate names, DOBs and mobile numbers. pic.twitter.com/NUk4HGwqQP

— Rylen Anil (@DarthKermi72747) June 2, 2026

JEE Advanced 2026 Candidates' Data Also Leaked

The cybersecurity researcher also claimed that the infrastructure linked to the JEE Advanced 2026 candidates and results was also affected by a security flaw. According to him, the cloud storage associated with cdata.jeeadv.ac.in/result2026/ was publicly accessible without authentication due to a misconfiguration.

He has also shared screenshots of the data after breaching the secured website on X. The researcher stated that approximately 1.79 lakh result records and 1.87 lakh admit card PDF files were accessible due to this vulnerability. These included candidates' names, dates of birth, mobile numbers, and other personal information. This vulnerability could put a large number of students' sensitive data at risk.

ALSO READ: Prashant Sitaram Lokhande Appointed As CBSE Chairman, Varun Bharadwaj As Secretary After Centre's Transfer Action In OSM Row

Students' Personal Data At Risk

He also shared screenshots of this access. This vulnerability provided access to information related to approximately 7,900 observers, 676 city coordinators, and 5,400 center superintendents and exam centers. JEE Advanced candidate data was also shared on X. This included names, email addresses, mobile numbers, and other personal information. In cybersecurity parlance, this type of information is considered personally identifiable information (PII), which can be misused for phishing, fraud, or other cybercrimes.

Anil further claimed that the SuperAdmin dashboard not only allowed for data viewing but also provided several important administrative options. These included managing observers and other personnel, exporting data to CSV format, generating and downloading appointment letters, uploading various templates, and mapping nodal officers.

This is not just a technical flaw, but a security issue involving a large amount of sensitive data. If unauthorised individuals gain such access, it could seriously impact the confidentiality and integrity of the examination management system.

ALSO READ: 'Any Self-Respecting Minister Should Resign If...': Sonam Wangchuk To Join Cockroach Janta Party's Protest At Jantar Mantar

This could impact sensitive records and administrative processes. He appealed to the NTA and the Ministry of Education to immediately intervene to secure the portal, ensure data security, and explain how such a serious flaw existed in the system.

Big Question Over DigiLocker's Login Security

Anil also claimed that the login security system of the CBSE's DigiLocker portal is weak. According to him, AES (Advanced Encryption Standard) encryption is used to protect data during login, but the secret password (passphrase) used for this is written in the website's code itself.

Encryption is a technical process that uses mathematical algorithms and a digital key to convert readable information (plaintext) into a secret code (ciphertext) that can only be read by the person with the correct key.

Lock And Key Are Unsafe

The researcher argued that the entire encryption logic is contained in a public JavaScript file, accessible to anyone. In this case, encryption becomes an ineffective layer of security because both the encryption key and the process are publicly available. This means that the website's code is publicly accessible. The key to the lock that secures the data is also stored with it. Therefore, anyone with technical knowledge can understand how the data security process works.

Extremely Easy For Cybercriminals To Abuse

According to experts, if both the encryption key and the method used are made public, it could be easier for cyber attackers to understand and exploit the security system. This increases the risk of compromising the security of users' login data and other sensitive information. There was no official response from the NTA or CBSE on the matter.

(With Jagran.com inputs)