Rylen Anil shared a post on the social media platform The issue involved publicly accessible cloud storage buckets where data could reportedly be listed and downloaded without authentication.
“JEE Advanced 2026 candidate/result infrastructure (https://cdata.jeeadv.ac.in/result2026/) had a public cloud storage misconfiguration exposing bulk candidate data without authorization,” the post read.
JEE Advanced 2026 candidate/result infrastructure (https://t.co/6mBpjkxH01) had a public cloud storage misconfiguration exposing bulk candidate data without auth.
This exposed ~179.6k result records and ~187.3k admit-card PDFs, including candidate names, DOBs and mobile numbers. pic.twitter.com/NUk4HGwqQP
— Rylen Anil (@DarthKermi72747) June 2, 2026
He claimed that around 1.79 lakh result records and nearly 1.87 lakh admit card PDFs may have been exposed. The data reportedly included basic personal details such as names, dates of birth, and mobile numbers.
ALSO READ | CBSE opens class 12 re-evaluation portal a day late after cybersecurity fix
IIT Roorkee, the organizing institute, has acknowledged the issue and said it has been fixed on priority.
It clarified that the issue was not a hacking incident but a configuration problem in cloud storage. “Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority.
“The institute also said that the data remained in ‘read-only’ mode, meaning it could be viewed but not altered. “The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour,” the tweet read.
Thank you @DarthKermy72747 for pointing out the configuration issue in the *cloud storage device*. The same is being plugged on priority. The data stored was read-only and so there was no possibility of any alteration. We applaud your responsible and ethical behaviour.
— IIT Roorkee (@iitroorkee) June 2, 2026
The data leak claim came a day after another user said CBSE’s systems also had a similar cloud storage issue, where exam-related files were allegedly left exposed online due to incorrect AWS bucket configuration.
“The vulnerability found here is similar to the vuln found by @ni5arga leaking all the CBSE answer scripts,” the post read.
According to the claim, the misconfigured storage allowed public access to exam materials such as answer sheets and question papers.
The researcher said the system’s listing feature was open without authentication, meaning anyone with the link could browse and download files stored in the bucket. The post also alleged that multiple institutions might be using the same storage setup.
