I Found 39 Algolia Admin Keys Exposed Across Open Source Documentation Sites
5 hours ago
- #api-keys
- #algolia
- #security
- 39 Algolia admin API keys were found exposed across open source documentation sites.
- Exposed keys had full permissions including addObject, deleteObject, deleteIndex, and editSettings.
- Keys were discovered through frontend scraping, GitHub code search, and repository analysis.
- Affected projects include major open source projects like Home Assistant, KEDA, and vcluster.
- Exposed keys could allow malicious actions like modifying search results or deleting indexes.
- Algolia's DocSearch program provides search-only keys, but many sites mistakenly use admin keys.
- Algolia was contacted but has not responded, and many keys remain active.
- Recommendation: Verify frontend config keys are search-only to prevent exposure.