I found 39 Algolia admin keys exposed across open source documentation sites

Security researcher Tom Forbes uncovered a widespread security vulnerability affecting major open source projects: 39 fully-permissioned Algolia admin API keys were exposed across public documentation sites. The discovery began when Forbes found an exposed key on vuejs.org in October 2023, which led to a broader investigation. Using custom scripts to scrape approximately 15,000 documentation sites and analyzing GitHub repositories, Forbes identified admin keys with dangerous permissions including addObject, deleteObject, deleteIndex, and editSettings. The affected projects include Home Assistant (85,000 GitHub stars), KEDA (CNCF Kubernetes project), and vcluster, which had the largest search index at over 100,000 records.

These exposed keys present severe security risks. Attackers could delete entire search indexes, inject malicious links into search results, redirect users to phishing pages, or export all indexed content. Forbes disclosed the findings to affected organizations and Algolia directly several weeks ago, but as of publication, most keys remain active. Only SUSE/Rancher and Home Assistant have taken remediation steps. The root cause appears to be misconfiguration in Algolia's DocSearch program, where sites accidentally use admin keys instead of search-only keys in their frontend configurations, despite clear warnings in Algolia's documentation.