JEE Advanced 2026 data leak claim surfaces, researcher flags cloud misconfiguration
The researcher claimed that around 1.79 lakh result records and nearly 1.87 lakh admit card PDFs may have been exposed.
3 Min Read
A Dubai-based cybersecurity researcher has flagged a possible data exposure linked to the JEE Advanced 2026 system.
Rylen Anil shared a post on the social media platform X and alleged that a misconfigured cloud storage setup allowed unauthorised access to large volumes of exam-related files. The issue involved publicly accessible cloud storage buckets where data could reportedly be listed and downloaded without authentication.
He claimed that around 1.79 lakh result records and nearly 1.87 lakh admit card PDFs may have been exposed. The data reportedly included basic personal details such as names, dates of birth, and mobile numbers.
ALSO READ | CBSE opens class 12 re-evaluation portal a day late after cybersecurity fix
IIT Roorkee, the organising institute, has acknowledged the issue and said it has been fixed on priority.
It clarified that the issue was not a hacking incident but a configuration problem in cloud storage. "Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority.
“The institute also said that the data remained in ‘read-only’ mode, meaning it could be viewed but not altered. "The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour," the tweet read.
However, IIT Roorkee has since rejected suggestions that the incident amounted to a large-scale data breach, describing such reports as "misleading and factually incorrect." The institute said a temporary cloud-storage misconfiguration had occurred while technical measures were being implemented on June 2 to address admit-card access issues and ensure the smooth functioning of the registration process.
In a statement posted on X, IIT Roorkee said the issue was swiftly detected after being reported by Anil. The institute reiterated that the affected storage remained read-only throughout, meaning data could neither be edited nor deleted.
"These interventions resulted in a minimal, temporary misconfiguration in a cloud storage component," the institute said, adding that attempts to misrepresent the incident and undermine public trust in the examination system were "deeply concerning and should be discouraged."
The data leak claim came a day after another user said CBSE’s systems also had a similar cloud storage issue, where exam-related files were allegedly left exposed online due to incorrect AWS bucket configuration.
"The vulnerability found here is similar to the vuln found by @ni5arga leaking all the CBSE answer scripts," the post read.
According to the claim, the misconfigured storage allowed public access to exam materials such as answer sheets and question papers.
The researcher said the system’s listing feature was open without authentication, meaning anyone with the link could browse and download files stored in the bucket. The post also alleged that multiple institutions might be using the same storage setup.
Rylen Anil shared a post on the social media platform X and alleged that a misconfigured cloud storage setup allowed unauthorised access to large volumes of exam-related files. The issue involved publicly accessible cloud storage buckets where data could reportedly be listed and downloaded without authentication.
"JEE Advanced 2026 candidate/result infrastructure (https://cdata.jeeadv.ac.in/result2026/) had a public cloud storage misconfiguration exposing bulk candidate data without authorisation," the post read.
JEE Advanced 2026 candidate/result infrastructure (https://t.co/6mBpjkxH01) had a public cloud storage misconfiguration exposing bulk candidate data without auth.
This exposed ~179.6k result records and ~187.3k admit-card PDFs, including candidate names, DOBs and mobile numbers. pic.twitter.com/NUk4HGwqQP
— Rylen Anil (@DarthKermi72747) June 2, 2026
He claimed that around 1.79 lakh result records and nearly 1.87 lakh admit card PDFs may have been exposed. The data reportedly included basic personal details such as names, dates of birth, and mobile numbers.
ALSO READ | CBSE opens class 12 re-evaluation portal a day late after cybersecurity fix
IIT Roorkee, the organising institute, has acknowledged the issue and said it has been fixed on priority.
It clarified that the issue was not a hacking incident but a configuration problem in cloud storage. "Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority.
“The institute also said that the data remained in ‘read-only’ mode, meaning it could be viewed but not altered. "The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour," the tweet read.
Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority. The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour.
— IIT Roorkee (@iitroorkee) June 2, 2026
However, IIT Roorkee has since rejected suggestions that the incident amounted to a large-scale data breach, describing such reports as "misleading and factually incorrect." The institute said a temporary cloud-storage misconfiguration had occurred while technical measures were being implemented on June 2 to address admit-card access issues and ensure the smooth functioning of the registration process.
In a statement posted on X, IIT Roorkee said the issue was swiftly detected after being reported by Anil. The institute reiterated that the affected storage remained read-only throughout, meaning data could neither be edited nor deleted.
"These interventions resulted in a minimal, temporary misconfiguration in a cloud storage component," the institute said, adding that attempts to misrepresent the incident and undermine public trust in the examination system were "deeply concerning and should be discouraged."
The data leak claim came a day after another user said CBSE’s systems also had a similar cloud storage issue, where exam-related files were allegedly left exposed online due to incorrect AWS bucket configuration.
"The vulnerability found here is similar to the vuln found by @ni5arga leaking all the CBSE answer scripts," the post read.
According to the claim, the misconfigured storage allowed public access to exam materials such as answer sheets and question papers.
The researcher said the system’s listing feature was open without authentication, meaning anyone with the link could browse and download files stored in the bucket. The post also alleged that multiple institutions might be using the same storage setup.
(Edited by : Sudarsanan Mani)
First Published: Jun 3, 2026 6:22 PM IST
Source link
