Hacker News flags 39 exposed Algolia admin keys across open-source documentation sites

Hacker News spent March 13 discussing Ben Zimmermann's report that 39 active Algolia admin keys were exposed across open-source documentation sites. When I checked the thread on March 14, 2026, the HN submission had a score of 121 and 30 comments, which is a useful signal that the story landed outside a narrow AppSec niche. The reason is straightforward: this is not a bug on a toy demo or an abandoned microsite. It is a credentials problem on developer documentation, one of the most trusted surfaces in open source, and the exposed credentials sit in the search layer that users interact with every day.

Zimmermann says the investigation started after he reported an exposed key on vuejs.org last October. He then used Algolia's archived docsearch-configs repository as a target list, scraped roughly 15,000 documentation sites for embedded credentials, ran GitHub code search, and used TruffleHog on more than 500 repositories to find keys that had been committed and later removed. According to the report, 35 of the 39 exposed admin keys came from frontend scraping alone and four more came from git history. Every single one was active at the time of discovery.

• Nearly all exposed keys allowed search, addObject, deleteObject, deleteIndex, editSettings, listIndexes, and browse.
• A few keys had even broader access, including analytics, logs, and NLU-related capabilities.
• Affected projects included Home Assistant, KEDA, and vcluster, all meaningful infrastructure or developer-facing properties.

In practical terms, the keys would let an attacker poison search results with malicious links, export indexed content, change ranking settings, or wipe out a project's search index entirely. Zimmermann wrote that SUSE/Rancher acknowledged the report within two days and rotated its key, Home Assistant began remediation, and Algolia had not responded by publication time. The root cause appears to be operational rather than exotic: projects using Algolia DocSearch are supposed to expose search-only keys in the frontend, but some teams that run their own crawler appear to have shipped write-capable keys instead. That turns a convenience feature into a supply-chain footgun. The original report is here: benzimmermann.dev/blog/algolia-docsearch-admin-keys.