Earlier this year, I made the difficult decision to move on from Teachable as the course platform for The Taggart Institute. I couldn't be happier with the result, but while I was moving, I discovered a serious flaw in Teachable's configuration that allows the theft of intellectual property and the loss of revenue for teachers on the platform. As of this writing, the issue has only been partially addressed.
The Issue
When you upload material to Teachable, it is stored in an S3 bucket—specifically, lecture_attachments. Teachable wisely does not expose this bucket directly. Instead, they put the bucket behind a CloudFront CDN. This CDN is at the domain uploads.teachablecdn.com. All reasonable, right?
Unfortunately, there's a gotcha. Of course CloudFront needs access to the S3 bucket, but you do not.
And yet, for reasons surpassing understanding, Teachable decided to let the first page of the S3 bucket listing be visible through CloudFront.
See for yourself. https://uploads.teachablecdn.com
There are 1000 listings there. Take a Key value and use it as a path after uploads.teachablecdn.com, and you'll be able to download the file.
These are course materials uploaded by Teachable course creators. Many, if not most, are behind a paywall and are copyrighted intellectual property. Teachable's cloud asset configuration has compromised the integrity of their contract with creators, allowing anyone who can see these entries to download them without payment.
It Gets Worse
Now, 1000 entries wouldn't be so bad—still bad, but a sliver of what's available on Teachable. Unfortunately, this configuration has been like this for a while, and the page has been indexable and crawlable the whole time.
Indeed, I was notified of this issue by a TTI member, who discovered that my book was available for download without pay this way, happily indexed by Google, DuckDuckGo, and Bing.
Feel free to explore the results of site:uploads.teachablecdn.com in your search engine of choice.
Attachments vs. Products
Teachable separates these uploads into two categories: attachments, which are uploaded to a course, and digital-products, which are made available as a digital download, like The Homelab Almanac was.
When the issue was discovered, https://uploads.teachablecdn.com/digital-products would return a list of digital products, and https://uploads.teachablecdn.com or /attachments would return a list of course attachments. The former has been properly configured to require temporary keys generated upon request from a trusted source (like teachable.com sites).
However, attachments are still very much intellectual property and deserve protection. I'm not sure why this distinction was made.
Is it Really a Problem?
The nature of the fronting means that URL parameters passed to the S3 bucket (like page number) are not passed directly to the bucket, mitigating the direct impact. The entire bucket's contents are not enumerable. Nevertheless, the long history of this issue, compounded by indexed results, means that Teachable has left multiple creators exposed to paywall bypass and potential theft of their intellectual property.
At the very least, Teachable is not protecting their creators. At worst, it's loss of revenue for those creators who, believe me, are not operating at significant margins.
What Could Teachable Do?
Working with search engines/indices to deindex sites is not an unknown process. All the assets in question are listed under Teachable's own domain, teachablecdn.com.
Teachable's (In)actions
I initially disclosed this issue to Teachable on 4 February 2026. It took a while to get a hold of someone, as their abuse@teachable.com email address is seemingly unmonitored. Eventually, a support ticket routed me to their bug bounty program, despite my fervently indicating I was uninterested in a bounty. I just wanted the issue addressed. I was told engineers were working on it, and I was asked to abide by the 90-day Responsible Disclosure Policy. I have done so. The issue persists, so here we are.
Smell Ya Later, Teachable
I'm leaving Teachable's platform—for this reason among many, including their continued price gouging and insistence on AI features I neither need nor want. The migration to Discourse away from a more managed platform was by no means simple, but so worth it. The community understands the reason for the switch, and it turns out people are still willing to make purchases on the new system.
You can own your content and its distribution. It's not impossible in this age. We don't have to let rent-seeking brokers like Teachable mediate the connection between teacher and student—especially when their security posture is suspect.
Disclosure Timeline
- 2026-02-04: Incident reported to abuse@teachable.com. No response
- 2026-02-06: Teachable Support picks up ticket
- 2026-02-11: Teachable closes ticket and claims engineering will address the issue
90 days later...
- 2026-05-13: Issue persists