Salesforce’s Tableau Server, a widely utilized data visualization tool, has been found to contain multiple critical security vulnerabilities that could allow attackers to upload and execute malicious files, potentially leading to full system compromise. These vulnerabilities affect various versions of Tableau Server and Tableau Desktop across both Windows and Linux platforms.
Key Vulnerabilities Identified:
1. CVE-2025-26496: Type Confusion in File Upload Modules
This vulnerability, with a CVSS score of 9.6, arises from the improper handling of data types during file processing. Attackers can exploit this flaw to bypass security controls and execute arbitrary code on the target system. Affected versions include Tableau Server prior to 2025.1.4, 2024.2.13, and 2023.3.20.
2. CVE-2025-26497 and CVE-2025-26498: Unrestricted File Uploads
Both vulnerabilities, each with a CVSS score of 7.7, involve the Flow Editor and establish-connection-no-undo modules, respectively. They allow attackers to upload files with dangerous types, facilitating absolute path traversal attacks that can lead to unauthorized file writing on the server’s filesystem.
3. CVE-2025-52450 and CVE-2025-52451: Path Traversal Vulnerabilities
Scoring 8.5 on the CVSS scale, these vulnerabilities affect the tabdoc API’s create-data-source-from-file-upload modules. They enable attackers to perform directory traversal attacks, accessing sensitive system files outside the intended upload directory. Techniques such as double encoding or Unicode normalization can be used to bypass path sanitization mechanisms.
Immediate Action Required:
Organizations using affected versions of Tableau Server are strongly advised to upgrade to the latest supported maintenance release without delay. Salesforce has provided patches to address these vulnerabilities, following responsible disclosure practices. Given the critical nature of these flaws and the potential for remote code execution, system administrators should prioritize applying these updates.
Additional Recommendations:
– Monitor Access Logs: Regularly review logs for any unusual file upload activities that could indicate exploitation attempts.
– Implement Web Application Firewalls (WAF): Deploy WAF rules to detect and prevent path traversal attempts.
– Conduct Security Assessments: After applying patches, perform thorough security assessments to ensure no prior compromises have occurred.
The combination of file upload and path traversal vulnerabilities presents a significant risk, potentially leading to complete server compromise, data exfiltration, and the deployment of malicious payloads such as ransomware. Proactive measures and prompt patching are essential to safeguard systems against these threats.
