Find out who is Nisarga Adhikary, a 19-year-old boy, who hackedinto CBSE’s server and accessed various important files
Not sure of what we’re talking about? Here is everything you need to know about the controversial hacking scandal and the individual behind it.
Who is Nisarga Adhikary, ethical hacker who exposed vulnerabilities in India’s CBSE’s OnMark Portal
What Exactly Happened?
Ethical Hacker Nisarga Adhikary who exposed vulnerabilities in CBSE’s OnMark portal, exposed serious security lapses, including easily guessable passwords, unsecured databases, and public storage buckets that allegedly exposed sensitive data such as answer sheets and student credentials. He also raised concerns over data privacy and sovereignty, alleging that CBSE’s tech vendor, COEMPT Eduteck, processed sensitive student data using Google’s Gemini and stored answer sheets in public Amazon Web Services buckets without the adequate security checks.
Earlier, social media platforms were buzzing with viral claims that someone had hacked into CBSE’s server and accessed various files including examination-related files.
Not just that, Adhikary went as far as to share the images online on his official X/Twitter account, wherein he stated that “anyone on the internet can download any scanned booklet” while adding “insanely insecure.”
This matter came into the spotlight amidst the ongoing controversy of CBSE paper leak and digital evaluation ecosystem of the central board.
What Did Adhikary Reveal?
Reportedly, the teenager driven by his curiosity examined the portal’s backend code, however, within an hour he ended up uncovering major systematic vulnerabilities.
Allegedly, after accessing the server, Nisarga immediately found the master password sitting in plain site in Javabundle. He alleged that using this password anyone could’ve bypass the Mandatory OTP verification.
Vedant Srivastava – 17 yrs old
Took to social media and exposed discrepancies in CBSE's OSM marking system.Nisarga Adhikary- 19 yrs old
Hacked CBSE website and informed them (and us) that it is vulnerable and can be hacked.Sarthak Sidhant- 17 yrs old
Exposed how CBSE bent… pic.twitter.com/sbTEvtGtRI— PunsterX (@PunsterX) May 30, 2026
This allows any user, who’s trying to access, to log into the any examiner’s account across India, given if they knew the user ID of the particular examiner.
Additionally, he also revealed that a linked AWS service of CBSE, which is a storage bucket, where millions of scanned answer sheets and question papers of 2026 were publicly viewable and downloadable without any authentication.
To prove his claims, the teenager even shared a screen recording of the now-viral “bad apple” silhouette animation running directly on CBSE-linked dashboard.
Who is Nisarga Adhikary?
CBSE people didn't configure their AWS bucket properly and now we can paginate & enumerate all their media which has 2026 answersheets & question papers. ListObjectsV2 works without any auth and the bucket root is listable too — anyone on the internet can download any scanned… pic.twitter.com/Jy6MMyHzbP
— nisarga (@ni5arga) May 31, 2026
Nisarga Adhikary is a 19-year-old self taught cybersecurity researcher.
The ethical hacker is from Siliguri, West Bengal. He came to spotlight in May 2026, after he discovered the critical security flaws in CBSE’s newly launched OSM portal, a digital system scanner used to grade scanned Class-12 board answer sheets.
At the time of hacking and discovery, the teenager himself was just class-12 student, who have just given his own board exams.
Reportedly, Nisarga Adhikary began programming as a young teenager, and despite recently graduating from High School, he already works for Wavelength, a tech firm based in Bengaluru, as a remote software engineer.
Meet Vedant Shrivastava, Nisarga Adhikary, and Sarthak Sidhant ,they exposed CBSE in every possible way :
17 years old Vedant Shrivastava :
> Applied for the CBSE re-evaluation process
> Got a different Physics answer sheet
> Posted it on X
> Got labelled "Pakistani" by the… pic.twitter.com/Nvtusk3A9s— Dev (@refocus21) May 30, 2026