I Found 39 Algolia Admin Keys Exposed Across Open Source Documentation Sites
This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).
A security researcher discovered 39 Algolia admin API keys exposed across open source documentation sites by scraping ~15,000 doc sites and scanning git histories with TruffleHog. Affected projects include Home Assistant (85k GitHub stars), KEDA (CNCF), and vcluster. The exposed keys grant full write/admin permissions — allowing anyone to poison search results, delete indexes, or redirect users to phishing pages. 35 of 39 keys were found via frontend scraping alone; all were active at discovery. Root cause: sites running their own DocSearch crawler mistakenly embed write/admin keys in frontend configs instead of search-only keys. Algolia has not responded to disclosure. The fix is to verify your frontend config only contains a search-only key.
Table of contents
How Algolia DocSearch worksWhat I foundWhat these keys can doDisclosureThe root causeSort: