JEE Advanced 2026 Candidates' Data Including Mobile Numbers Exposed, Claims Cyber Security Researcher
A cybersecurity researcher revealed that the JEE Advanced 2026 result portal, cdata.jeeadv.ac.in, had an unsecured AWS cloud storage bucket. The misconfiguration exposed over 179,000 result records and 188,000 admit cards without authentication. Admins have since updated permissions, disabling public access to candidate data.
A Cyber Security researcher has flagged a critical infrastructure vulnerability in the official joint entrance examination portal linked to the JEE Advanced 2026 result infrastructure. According to technical reports and social media disclosures published today, June 2, a significant public cloud storage misconfiguration exposed bulk candidate information without requiring formal authentication. The open architecture affected the dedicated results database subdomain (https://cdata.jeeadv.ac.in/result2026/), just as lakhs of engineering aspirants began accessing the portal following the official June 1 results release by Indian Institute of Technology (IIT) Roorkee.
Unauthenticated List Access Discovered
In a post on X (formerly Twitter), the Cyber Security researcher said that the public cloud storage misconfiguration exposed over 1,79,000 result records and nearly 1,88,000 admit-card PDFs, including candidate names, DOBs and mobile numbers. The researcher also stated that the vulnerability found in the JEE Advanced 2026 data leak is similar to the vulnerability found by Nisarga leaking all the CBSE answer scripts. The infrastructure discrepancy was initially documented by the Cyber Security researcher who monitored public cloud storage endpoint configurations. Independent cybersecurity researchers confirmed that the cdata portal sub-domain - which hosts candidate scorecards, metrics, and ranking assets - was backed by an inadequately secured Amazon Web Services (AWS) storage bucket. Rahul Gandhi Accuses Centre of ‘Shielding’ Dharmendra Pradhan After CBSE Officials Transferred.
Cyber Security Researcher Says JEE Advanced 2026 Result Had Public Cloud Storage Misconfiguration
The vulnerability found here is similar to the vuln found by @ni5arga leaking all the CBSE anwser scripts https://t.co/WeTk7HwV5C
— Rylen Anil (@DarthKermi72747) June 2, 2026
According to technical analysis shared on the social media platform X, the storage directory lacked mandatory access control restrictions. The implementation of standard protocol functions such as ListObjectsV2 operated without an authentication layer, meaning the root database directories were completely listable. As a result, anyone with basic networking tools could potentially paginate, enumerate, and bulk-download scanned student records across various institutional data pools.
Impact on Candidate Data Privacy
The vulnerability came to light during peak usage of the network infrastructure. Following the May 17 examination, approximately 1.79 lakh candidates sat for both required papers, with IIT Roorkee officially publishing the All India Ranks (AIR) and individual scorecards on Monday, June 1. Because the portal handles confidential candidate parameters - including registration IDs, subject-wise marks in Physics, Chemistry, and Mathematics, date of birth details, and qualifying positions - the open configuration raised immediate data privacy concerns. Cyber experts noted that open repositories of this nature are frequently targeted by malicious actors looking to harvest high-value identity data for secondary phishing schemes or unauthorised educational marketing databases.
The security oversight occurs amid heightened institutional sensitivity surrounding national entrance test administration in India. Following recent multi-city operational controversies and data security audits over paper leaks in other competitive examinations like NEET-UG, government agencies have heavily pushed for a transition toward secure computer-based testing (CBT) and centralised digital storage frameworks.
The JEE Advanced results framework utilises specialised subdomains like cdata.jeeadv.ac.in to handle high-concurrency traffic spikes during the release window, distributing the server load away from the main portal. Analysts noted that while cloud buckets offer elite scalability for rendering lakh-scale PDFs simultaneously, failing to disable public directory listing remains one of the most common oversights in modern cloud deployments. CBSE OSM Row: Govt Appoints Lokhande Prashant Sitaram as New Chairperson, Varun Bhardwaj as Secretary.
Mitigation and Current Status
Upon the public propagation of the exploit mechanics, network administrators reportedly adjusted the underlying identity and access management (IAM) permissions on the storage bucket. The remediation steps included disabling public execution privileges on list commands and restricting unauthenticated programmatic API calls to the root directory. While the Joint Admission Board (JAB) and IIT Roorkee have not issued an official public statement quantifying the precise timeline of the exposure or confirming whether automated scrapers successfully extracted the bulk candidate pool, access controls on the cdata subdomain have been modified. Candidates can currently continue logging into the portal via standard verified credential prompts requiring their explicit registration sequence and date of birth variables.
(The above story first appeared on LatestLY on Jun 02, 2026 10:23 PM IST. For more news and updates on politics, world, sports, entertainment and lifestyle, log on to our website latestly.com).
