Hard-coded API key in AI note taking app exposed users’ private meeting transcripts

the quick version

• what happened? a hard-coded AssemblyAI key shipped inside the Granola desktop client let anyone pull other people’s transcripts processed by the popular “AI notepad.”

• who found it? Tenable researcher Ben Smith (TRA-2025-07) and independent researcher @rez0__.

• is it fixed? yes. Granola revoked the key on 11 Mar 2025 and scrubbed it from the unauthenticated /get-feature-flags endpoint. - It was fixed before the app made it to the general public. Kudos Granola.

• why it matters: AI apps sucking up all of our data, including keyloggers like Grammarly, and voice data like these meeting recorders should be considered critical software at this point.

inside the bug

Tenable’s advisory shows the Mac Electron bundle contained an assembly_key that could be lifted with a single cURL request:

curl -X POST https://api.granola.ai/v1/get-feature-flags \
     -H "X-Client-Version: 5.226.0" | jq '.[] | select(.feature=="assembly_key")'

Using that key, an attacker could enumerate AssemblyAI’s /transcript API and download text transcripts for other Granola users. No authentication or user interaction was required. (Tenable)

researcher play-by-play

In a Monday X/Twitter thread, security researcher rez0 called the issue “a Granola AI vulnerability that flew under the radar … anyone could leak all Granola transcripts.” He reached out to Vulnerable U about it seeming pretty bad. rez0 is also a user of Granola.

But after the CEO of granola responded, he took the original tweet down as it impacted a very small number of users in a Testflight version of the app, not all transcripts like it initially seemed.

I’m still publishing this story as this poses the nightmare scenario for these AI transcription tools that have exploded in popularity. If they record everything and they get popped, a ton of sensitive data gets leaked - it looks like that bullet was dodged here.

vendor response

Granola co-founder and CEO Chris Pedregal acknowledged the flaw in a public X post, saying the team “disabled the exposed key within minutes of Tenable’s disclosure” and that “no audio recordings were ever accessible, only text.” He added that Granola has “migrated feature-flag delivery to signed, short-lived tokens.”

This also was fixed basically in dev before it made it to prod, so basically the ideal outcome of a vulnerability like this. Kudos Granola team.

bigger picture

Meeting-assistant startups raised ≈ $850 million in 2024-25, most piping audio to third-party transcription engines. with ai services soaking up voice, video, and keystrokes, leaked secrets are now in critical path to all secrets.

what users should do

• assume anything recorded could leak someday; keep truly sensitive topics off mic.

• rotate any secrets that might live in older transcripts.

• track ai note-taking tools like critical software: inventory them and keep auto-update enabled.

disclosure timeline

Compiled from Tenable advisory and company statements. (Tenable)