Salesforce’s Tableau Server, a widely used data visualization tool, has been found to contain multiple critical security vulnerabilities that could allow attackers to execute remote code, bypass authorization controls, and access sensitive production databases. These vulnerabilities affect Tableau Server versions prior to 2025.1.3, 2024.2.12, and 2023.3.19, prompting urgent calls for immediate patching across enterprise environments.
Overview of the Vulnerabilities
A total of eight critical vulnerabilities have been identified, each posing significant risks to organizations relying on Tableau Server for data analysis and visualization. The most severe of these, CVE-2025-52449, carries a CVSS 3.1 base score of 8.5 and stems from unrestricted file upload capabilities within the Extensible Protocol Service modules. This flaw enables Remote Code Execution (RCE) through deceptive filenames, potentially allowing attackers to gain complete system control.
Three additional authorization bypass vulnerabilities—CVE-2025-52446, CVE-2025-52447, and CVE-2025-52448—each scoring 8.0 on the CVSS scale, affect various API modules. These vulnerabilities exploit user-controlled keys to manipulate interfaces, granting unauthorized access to production database clusters containing sensitive organizational data.
Server-Side Request Forgery and Path Traversal Flaws
Server-Side Request Forgery (SSRF) vulnerabilities represent another critical attack vector, with three separate CVEs identified across different components:
– CVE-2025-52453 (CVSS 8.2): Affects Flow Data Source modules.
– CVE-2025-52454 (CVSS 8.2): Impacts Amazon S3 Connector modules.
– CVE-2025-52455 (CVSS 8.1): Targets EPS Server modules.
These vulnerabilities enable resource location spoofing, allowing attackers to manipulate server requests and potentially access internal systems.
A significant path traversal vulnerability, designated as CVE-2025-52452 (CVSS 8.5), affects the tabdoc API duplicate-data-source modules. This improper limitation of pathname restrictions enables absolute path traversal attacks, potentially exposing sensitive files across the server filesystem through directory traversal techniques.
Detailed Breakdown of Vulnerabilities
| CVE ID | Vulnerability Title | CVSS 3.1 Score | Severity |
|——————|———————————————————-|—————-|———-|
| CVE-2025-52446 | Authorization Bypass Through User-Controlled Key | 8.0 | High |
| CVE-2025-52447 | Authorization Bypass Through User-Controlled Key | 8.0 | High |
| CVE-2025-52448 | Authorization Bypass Through User-Controlled Key | 8.0 | High |
| CVE-2025-52449 | Unrestricted Upload of File with Dangerous Type | 8.5 | High |
| CVE-2025-52452 | Improper Limitation of a Pathname to a Restricted Directory | 8.5 | High |
| CVE-2025-52453 | Server-Side Request Forgery (SSRF) | 8.2 | High |
| CVE-2025-52454 | Server-Side Request Forgery (SSRF) | 8.2 | High |
| CVE-2025-52455 | Server-Side Request Forgery (SSRF) | 8.1 | High |
Mitigation Measures
Salesforce strongly advises all Tableau Server customers to implement immediate remediation measures. Organizations should update to the latest supported Maintenance Release within their current branch, available through the official Tableau Server Maintenance Release page. Additionally, customers utilizing Trino (formerly Presto) drivers must update to the most recent versions to mitigate potential risks associated with these vulnerabilities.
Understanding the Impact
The identified vulnerabilities span across various Tableau Server modules, presenting a comprehensive attack surface that threat actors could exploit. The most severe vulnerability, CVE-2025-52449, originates from unrestricted file upload capabilities within the Extensible Protocol Service modules. This flaw enables Remote Code Execution (RCE) through alternative execution methods due to deceptive filenames, potentially allowing attackers to gain complete system control.
Three additional authorization bypass vulnerabilities—CVE-2025-52446, CVE-2025-52447, and CVE-2025-52448—affect the tab-doc API modules, set-initial-sql tabdoc command modules, and validate-initial-sql API modules, respectively. These vulnerabilities exploit user-controlled keys to manipulate interfaces, granting unauthorized access to production database clusters containing sensitive organizational data.
Server-Side Request Forgery and Path Traversal Flaws
Server-Side Request Forgery (SSRF) vulnerabilities represent another critical attack vector, with three separate CVEs identified across different components. CVE-2025-52453 affects Flow Data Source modules, while CVE-2025-52454 impacts Amazon S3 Connector modules. The third SSRF vulnerability, CVE-2025-52455, targets EPS Server modules. These vulnerabilities enable resource location spoofing, allowing attackers to manipulate server requests and potentially access internal systems.
A significant path traversal vulnerability designated as CVE-2025-52452 affects the tabdoc API duplicate-data-source modules. This improper limitation of pathname restrictions enables absolute path traversal attacks, potentially exposing sensitive files across the server filesystem through directory traversal techniques.
Conclusion
The discovery of these critical vulnerabilities in Salesforce’s Tableau Server underscores the importance of proactive security measures and timely software updates. Organizations utilizing affected versions of Tableau Server should prioritize patching to mitigate potential risks associated with these vulnerabilities. By staying vigilant and implementing recommended security practices, organizations can safeguard their systems and sensitive data from potential exploitation.
