India's National Testing Agency (NTA) is facing fresh scrutiny after Dubai-based cybersecurity researcher Rylan Anil disclosed that the agency's official re-examination portal could be accessed at the superadmin level by bypassing authentication. In parallel, the researcher alleged that a misconfigured cloud directory tied to JEE Advanced 2026 exposed roughly 1.79 lakh result records and 1.87 lakh admit card PDFs without any login required.
What Happened
According to disclosures made by researcher Rylan Anil on X, the NTA's re-examination portal contained a flaw that permitted entry into the superadmin login area without proper authorisation. The researcher characterised the underlying issue as a reliance on weak credentials, which enabled access to the administrative dashboard governing high-stakes examination workflows. Separately, infrastructure associated with JEE Advanced 2026 was reportedly left exposed through a publicly accessible cloud directory at cdata.jeeadv.ac.in/result2026/, requiring no authentication to browse. The combined disclosures have reopened questions about the security posture of India's nationwide examination systems, including CBSE's DigiLocker platform, which the researcher also flagged.
What Was Taken
While the researcher's disclosure focuses on access rather than confirmed exfiltration by malicious actors, the data within reach was substantial. Screenshots shared publicly indicate approximately 1.79 lakh (179,000) result records and roughly 1.87 lakh (187,000) admit card PDFs were accessible from the misconfigured JEE Advanced directory. Admit cards typically contain candidate names, photographs, roll numbers, exam centre details, and other personally identifiable information. Superadmin access to the re-examination portal would, in principle, place the integrity of candidate records, exam configurations, and re-evaluation workflows at risk.
Why It Matters
JEE Advanced is the gateway examination for India's elite IITs, and NTA administers some of the country's most consequential academic assessments. A superadmin bypass on its re-examination portal is not just a privacy concern: it is a direct threat to examination integrity, with downstream consequences for university admissions, scholarship eligibility, and public trust in centralised testing. Exposed admit cards and result data also fuel identity fraud, targeted phishing against students and families, and impersonation scams during the high-pressure admissions window. For defenders in the public sector, the incident underscores how legacy authentication patterns and unhardened cloud storage continue to undermine otherwise modernised digital service stacks.
The Attack Technique
The researcher attributed the superadmin access to weak credentials guarding the administrative login on the NTA re-examination portal, suggesting either default, guessable, or insufficiently protected authentication material rather than a sophisticated exploit chain. The JEE Advanced 2026 exposure is described as a cloud storage misconfiguration: a directory left publicly browsable at cdata.jeeadv.ac.in/result2026/ without access controls or authentication gates. Together, the two issues reflect classic, well-understood weaknesses: credential hygiene failures on privileged interfaces and unauthenticated object storage exposing bulk sensitive PDFs.
What Organizations Should Do
- Audit all administrative and superadmin login interfaces for default, weak, or shared credentials, and enforce strong unique passwords plus multi-factor authentication on every privileged account.
- Inventory public-facing cloud directories and object storage buckets, and apply deny-by-default access policies so that result files, admit cards, and other PII require authenticated, authorised retrieval.
- Implement directory listing restrictions and remove auto-indexing on any web server hosting candidate or examination data.
- Establish a coordinated vulnerability disclosure programme so independent researchers can report flaws through official channels before public disclosure.
- Monitor administrative portals for anomalous logins, brute force attempts, and access from unexpected geographies, and alert on first-time superadmin sessions.
- Conduct an incident response review covering scope of exposure, potential exfiltration, candidate notification obligations, and regulatory reporting under India's data protection regime.