Exposed Algolia Admin Keys Found in 39 Major Open Source Docs Sites: “Anyone Could Delete Entire Search Indexes”

In a shocking security discovery, a developer has uncovered 39 exposed Algolia admin API keys embedded in documentation sites for some of the largest open source projects on the web, potentially allowing attackers to completely destroy search functionality or manipulate search results across thousands of sites.

The issue was first spotted when a developer reported an exposed admin key on vuejs.org last October. After the Vue.js team acknowledged the problem and rotated the key, the researcher wondered: if Vue.js had this issue, how many other DocSearch sites might be vulnerable?

The answer: at least 39 major projects, with the actual number likely much higher.

How It Works

Algolia’s DocSearch provides free search services for open source documentation. The service crawls websites, indexes content, and provides API keys that should be search-only. However, many sites accidentally embed admin keys in their frontend configurations instead.

What Was Found

The researcher discovered these keys through multiple methods:

• Frontend scraping of roughly 15,000 documentation sites
• GitHub code search for keys in documentation framework configs
• TruffleHog analysis of 500+ documentation site repositories

35 of the 39 admin keys came from frontend scraping alone. All keys were active when discovered.

Major Projects Affected

The exposed keys belong to some of the biggest names in open source:

Home Assistant – 85,000+ GitHub stars, millions of active installations
KEDA – CNCF project used in production Kubernetes clusters
vcluster – Kubernetes infrastructure with the largest affected index (100,000+ records)
Vue.js – Already addressed, but was the initial discovery
SUSE/Rancher – Acknowledged and rotated their key within two days

What These Keys Can Do

Nearly all exposed keys have identical dangerous permissions:

• Add, modify, or delete any record in the search index
• Delete entire indexes
• Change index settings and ranking configuration
• Browse and export all indexed content

In practical terms, anyone with these keys could:

• Poison search results with malicious links
• Redirect users to phishing pages
• Completely wipe out search functionality for entire sites
• Export sensitive documentation content

The Response

SUSE/Rancher responded within two days and rotated their key (now fully revoked).
Home Assistant acknowledged the issue but the original key remains active.
Algolia was directly emailed with the full list of affected keys weeks ago but has not responded. As of today, all remaining keys are still active.

The Root Cause

This isn’t about 39 individual mistakes. Algolia’s DocSearch program provides search-only keys, but many sites run their own crawlers and accidentally use write or admin keys in frontend configurations. Algolia’s own documentation warns against this, but it clearly happens at scale.

The Fix

If you’re running DocSearch, check what key is in your frontend configuration and ensure it’s search-only. The researcher notes: “If I found 39 admin keys with a few scripts, the real number is almost certainly higher.”

This is a critical security issue affecting major open source projects that Algolia and the affected projects need to address immediately.

tags: #Algolia #Security #APIKeys #OpenSource #Documentation #Vuejs #HomeAssistant #Kubernetes #SUSE #Rancher #vcluster #KEDA #Cybersecurity #DataBreach #ExposedCredentials

viral: “Exposed admin keys could let anyone delete entire search indexes” | “35 keys found through frontend scraping alone” | “Home Assistant has millions of installations at risk” | “Algolia hasn’t responded to security disclosure” | “Keys still active despite being reported weeks ago” | “The real number is almost certainly higher” | “Anyone could poison search results with malicious links” | “This affects some of the biggest names in open source” | “Major Kubernetes projects exposed” | “Security Hall of Fame member discovered widespread vulnerability”

,