A significant data exposure incident has been reported in the JEE Advanced 2026 examination infrastructure, where a public cloud storage misconfiguration left sensitive candidate data accessible without authentication. The breach was first brought to light by security researcher Rylen Anil, who discovered that the cloud storage device was improperly configured, allowing anyone to access the stored files.
Scale of the Data Exposure
The misconfiguration exposed approximately 179,600 result records and around 187,300 admit-card PDFs. These files contained personally identifiable information (PII) including candidate names, dates of birth, and mobile numbers. The data was stored in a read-only format, which means that while unauthorized access was possible, the integrity of the data could not be altered.
Response from IIT Roorkee
IIT Roorkee, the organizing institute for JEE Advanced 2026, promptly acknowledged the issue. In a statement on June 2, 2026, the institute thanked Rylen Anil for reporting the configuration flaw and confirmed that the vulnerability was being addressed on a priority basis. They emphasized that the data was read-only, thus eliminating any risk of alteration, and commended the researcher for responsible and ethical disclosure.
Parallel Incident: CBSE Cloud Exposure
In a related development, another security researcher named Nisarga reported a similar misconfiguration in the Central Board of Secondary Education (CBSE) cloud infrastructure. On May 31, 2026, Nisarga disclosed that an AWS bucket used by CBSE was improperly configured, allowing anyone to list and enumerate all media files without authentication. This included scanned answer sheets and question papers for the 2026 examinations. The bucket root was listable, enabling anyone on the internet to download scanned documents.
Implications and Security Measures
These incidents highlight critical vulnerabilities in cloud storage configurations used by educational institutions. The exposure of personal data such as names, DOBs, and mobile numbers poses risks of identity theft and phishing attacks. While no data alteration was possible in the JEE Advanced case, the mere accessibility of such sensitive information is a serious breach of privacy. Both IIT Roorkee and CBSE are urged to implement robust security protocols, including proper access controls, encryption, and regular audits, to prevent future occurrences.
Conclusion
The JEE Advanced 2026 data leak serves as a stark reminder of the importance of cloud security in handling sensitive examination data. The quick response from IIT Roorkee and the ethical reporting by researchers are commendable, but systemic changes are needed to safeguard candidate information. Educational bodies must prioritize cybersecurity to maintain trust and protect the privacy of millions of students.
