A series of critical security vulnerabilities have been identified in Tableau Server, potentially allowing attackers to upload and execute malicious files, leading to full system compromise. These vulnerabilities, discovered during a proactive security assessment by Salesforce Security, affect multiple versions of Tableau Server and Tableau Desktop across both Windows and Linux platforms.
Overview of Identified Vulnerabilities
Salesforce Security’s assessment uncovered five distinct vulnerabilities, each posing significant risks:
1. CVE-2025-26496: This is the most severe vulnerability, with a CVSS score of 9.6. It involves a ‘Type Confusion’ flaw in the File Upload modules, allowing Local Code Inclusion attacks. This occurs when the application mishandles data types during file processing, enabling attackers to bypass security controls and execute arbitrary code. Affected versions include Tableau Server prior to 2025.1.4, 2024.2.13, and 2023.3.20.
2. CVE-2025-26497 and CVE-2025-26498: Both vulnerabilities have a CVSS score of 7.7 and involve the unrestricted upload of files with dangerous types. They affect the Flow Editor and establish-connection-no-undo modules, respectively. These flaws enable Absolute Path Traversal attacks, allowing attackers to write files to arbitrary locations on the server filesystem.
3. CVE-2025-52450 and CVE-2025-52451: Each with a CVSS score of 8.5, these vulnerabilities pertain to the tabdoc API’s create-data-source-from-file-upload modules. CVE-2025-52450 involves improper limitation of a pathname to a restricted directory, while CVE-2025-52451 relates to improper input validation. Both allow attackers to perform directory traversal attacks, accessing sensitive system files outside the intended upload directory.
Technical Details and Potential Impact
The ‘Type Confusion’ vulnerability (CVE-2025-26496) arises when the application incorrectly handles data types during file processing. This flaw can be exploited to bypass security controls, leading to arbitrary code execution on the target system.
The unrestricted file upload vulnerabilities (CVE-2025-26497 and CVE-2025-26498) allow attackers to upload files with dangerous types without proper validation. This can result in Absolute Path Traversal attacks, where malicious files are written to arbitrary locations on the server filesystem, potentially leading to unauthorized access and control.
The path traversal vulnerabilities (CVE-2025-52450 and CVE-2025-52451) enable attackers to access sensitive system files outside the intended upload directory. By exploiting improper input validation, attackers can bypass path sanitization mechanisms using techniques like double encoding or Unicode normalization attacks. This can lead to overwriting critical system files, accessing configuration data, or planting webshells for persistent access.
Immediate Action Required
Organizations using affected versions of Tableau Server are strongly advised to upgrade to the latest supported maintenance release immediately. Salesforce has provided patches as part of the July 22, 2025 Maintenance Release.
System administrators should prioritize patching due to the critical CVSS scores and the potential for remote code execution. The combination of file upload and path traversal vulnerabilities creates a dangerous attack vector that could lead to complete server compromise, data exfiltration, and deployment of ransomware or other malicious payloads.
Recommended Mitigation Steps
1. Upgrade Tableau Server: Ensure that all instances of Tableau Server are updated to the latest maintenance release to address these vulnerabilities.
2. Review Access Logs: Monitor server access logs for any suspicious file upload activities that could indicate exploitation attempts.
3. Implement Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block path traversal attempts and other malicious activities targeting file upload functionalities.
4. Conduct Security Assessments: After applying patches, perform thorough security assessments to ensure no compromise occurred prior to remediation.
Conclusion
The discovery of these critical vulnerabilities in Tableau Server underscores the importance of proactive security assessments and timely patch management. Organizations must act swiftly to apply the necessary updates and implement robust security measures to protect their systems from potential exploitation.
